Package: shim* (shim-signed, shim-signed-common, shim-helpers-amd64-signed, shim-unsigned) Version: 1.36~1 Platform: amd64
Dear Maintainer, I'm using Secure Boot for an AMD64 system and I have installed the non-free nvidia graphics driver (nvidia-driver). To use Secure Boot, I have to sign the additional NVidia modules manually with the following steps: 1) create a self-signed certificate using openssl -> I have got the key file <hostname>.der 2) sign all module files with the script: /lib/modules/<kernel version>/build/scripts/sign-file 3) import the key with the command: mokutil --import <hostname>.der 4) Reboot the system and enroll the key after entering the passphrase These steps works fine for me, but after upgrading to Debian 10.10 it does no longer work, the kernel cannot start the NVidia driver, and the error log says, that the kernel cannot find a trusted key. After running the command "mokutil --list-enrolled" I have got the message "MokListRT is empty." Then I have installed an older Debian Version 10.2 with the older package shim-signed, Version: 1.33+15153313, an now I can see the imported key using the command mokutil --list-enrolled. As Workaround I have installed the older Debian Version 10.2 and have upgraded to 10.10 except the packages for shim, then I have installed the nvidia driver and then signed the NVidia module files and now I can boot into a graphical Desktop. Best regards, Christian
