Machine Owner Key Enrollment

Jiri Eischmann Verze F40 Last review: 2024-06-15
This page documents how to enroll a machine owner key that is created during the Nvidia driver installation (typically in GNOME Software).

Prerequisite

The Nvidia driver has been installed and a machine owner key to self-sign the driver has been created in GNOME Software (or in a similar tool that supports it).

Enrolling Self-signing Key after Reboot

In order to successfully reboot to Fedora Workstation after the Nvidia driver installation, you have to enroll the machine owner key you created during installation in GNOME Software. During rebooting you’ll be presented with the mokutil tool, follow the below steps to enroll the key:

  1. Press any key to continue. mok-util-01.png

  2. Select Enroll MOK. mok-util-02.png

  3. Select Continue to proceed to the enrollment. mok-util-03.png

  4. Select Yes to enroll the key. mok-util-05.png

  5. Type the password you created for the key during installation. mok-util-06.png

  6. Select Reboot to reboot into the OS with the Nvidia drivers enabled. mok-util-07.png

Security Implications

Note that the enrolled machine owner key will be used to sign any future updates to the module or any other module you will decide to install and they will be implicitly trusted. All future updates will happen transparently with no interaction and/or authorization. Therefore, it’s recommended to delete the machine owner key when it’s no longer needed.

Deleting Machine Owner Key

To delete the machine owner key, perform the following command in the terminal:

+

$ sudo mokutil --delete /etc/pki/akmods/certs/public_key.der