Installing nvidia drivers on a fedora 36 (in dual boot with windows 11) with secure boot enabled

Hey there, I’m a new fedora user (ubuntu user previously), I’ve installed fedora recently and I’m trying to make my setup work.

So I have secure boot enabled (need it on windows side for anti-cheats) and I’m trying to install nvidia driver for my GPU.

I’ve add RPM Fusion repo(s) as documentation suggested: rpmfusion/Configuration

I’ve followed the instruction from RPM Fusion doing:

sudo dnf update -y

sudo dnf install akmod-nvidia

sudo dnf install xorg-x11-drv-nvidia-cuda

also :

sudo dnf install vulkan

sudo dnf install xorg-x11-drv-nvidia-cuda-libs

and after that followed the secure-boot instruction :

sudo /usr/sbin/kmodgenca

sudo mokutil --import /etc/pki/akmods/certs/public_key.der

and entered a password and restared the system.

entered the password on secure boot page.

while booting got this error:

NVIDIA kernel module missing. Falling back to nouveau.

I have no idea what did I miss.

CPU: Intel core i5-9300H

GPU: Nvidia Geforce GTX1650(Notebook)

OS: Fedora 36 (dual boot windows 11)

Kernel: 5.17.4

That error tells you the nvidia module did not load.

You can see the messages related with the command dmesg | grep -iE "secure|nvidia"

It may be that the proper key was not saved and you will have to try again. Worst case, you can disable secure boot.

It seems likely that the first time you boot and go through the steps it will write the key to firmware then the next time you boot it will be available. Just try rebooting before you do anything else.

I just did an upgrade from fedora 34 to 36 with an nvidia GPU

I had to do a little adjustment within the BIOS to make secure boot work.
I had previously had secure boot disabled and had to go back in and enable it. One thing that forced was to put the bios into UEFI boot only (disabling CSM mode), then enabling secure boot.

On the next boot it popped up a ‘mok util’ window through which I then enrolled the key which was generated using the steps you displayed above.

Once the key was enrolled, the next boot properly used the nvidia driver.

Just as another note,
These steps probably were needed since the upgrade was done before the kmodgen command was available and the key was not available to sign the driver when the system upgrade was done.

After doing the kmodgenca step and the mokutil --import step, I then did additionally the following.

dnf remove kmod-nvidia-5.17.*
dnf reinstall akmod-nvidia

then rebooted to force a rebuild of the nvidia driver with the newly generated key available so it was properly signed.

With the key saved into the bios and the driver newly rebuilt and signed the next boot loaded it properly with secure boot enabled.

I suspect that if you do these last 2 steps it should load for you properly.

Since I had done lots of things to make it work, I’ve done a fresh install.
This is what I’ve done after the fresh install.
Steps:

sudo dnf update
sudo reboot

After update kernel 5.17.4 became my default in grub menu (before that it was 5.17.0-rc1).

sudo  dnf install akmod-nvidia
sudo reboot

After installing nvidia drivers and while booting in grub menu I’ve notice that default kernel had change to 5.17.3 (before that it was 5.17.4) and I’ve booted into 5.17.3 and my second monitor was not working neither my wifi so I’ve rebooted to 5.17.4.

sudo mokutil --import /etc/pki/akmods/certs/public_key.der

After importing and enrolling the key, I’ve selected the 5.17.4 and I’ve got the same error under OEM logo:

NVIDIA kernel module missing. Falling back to nouveau.

After that (using 5.17.4) I did run the commands that you suggested:

sudo dnf remove kmod-nvidia-5.17.*
sudo dnf reinstall akmod-nvidia

After reboot same thing happened.
After that I’ve tried to test 5.17.3 and It didn’t boot at all, stuck in a black screen.

Here are some info:

dmesg | grep -iE "secure|nvidia"
[    0.000000] Command line: BOOT_IMAGE=(hd2,gpt4)/boot/vmlinuz-5.17.4-300.fc36.x86_64 root=UUID=dd6aae6e-****-****-****-366f9f9751d8 ro resume=UUID=33c275e8-****-****-****-54cfc28bdbba rhgb quiet rd.driver.blacklist=nouveau modprobe.blacklist=nouveau nvidia-drm.modeset=1
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.010830] secureboot: Secure boot enabled
[    0.057047] Kernel command line: BOOT_IMAGE=(hd2,gpt4)/boot/vmlinuz-5.17.4-300.fc36.x86_64 root=UUID=dd6aae6e-5022-4f92-b19b-366f9f9751d8 ro resume=UUID=33c275e8-3222-4f56-ab01-54cfc28bdbba rhgb quiet rd.driver.blacklist=nouveau modprobe.blacklist=nouveau nvidia-drm.modeset=1
[    0.886451] integrity: Loaded X.509 cert 'Fedora Secure Boot CA: fde3****c2d61db1bf5807335d7b20e4cd963b42'
[    0.886650] integrity: Loaded X.509 cert 'ubuntu-pc Secure Boot Module Signature key: 0818****524fa6b9f2aaff6a8cce10d1480c9f21'
[    5.003824] input: HDA NVidia HDMI/DP,pcm=3 as /devices/pci0000:00/0000:00:01.0/0000:01:00.1/sound/card1/input15
[    5.003934] input: HDA NVidia HDMI/DP,pcm=7 as /devices/pci0000:00/0000:00:01.0/0000:01:00.1/sound/card1/input16
[    5.004055] input: HDA NVidia HDMI/DP,pcm=8 as /devices/pci0000:00/0000:00:01.0/0000:01:00.1/sound/card1/input17
[    5.004176] input: HDA NVidia HDMI/DP,pcm=9 as /devices/pci0000:00/0000:00:01.0/0000:01:00.1/sound/card1/input18
[  130.593421] nouveau 0000:01:00.0: NVIDIA TU117 (167000a1)

P.S. While using 5.17.4 when I run

ls /usr/src/kernels
5.17.3-302.fc36.x86_64

I dont see headers for 5.17.4.

Thank you for your help.

I noted that this post skipped the kmodgenca step which is required before the mokutil --import step (especially with a new clean install)

Please try again in the following order.

1. sudo dnf remove kmod-nvidia
2. sudo kmodgenca
3. sudo mokutil --import /etc/pki/akmods/certs/public_key.der
4. sudo akmods --force
   Then wait about 3-5 minutes
5. dnf list installed kmod-nvidia* should now show a new kmod-nvidia for the current kernel (if not it will be created during the next boot)
6. reboot and repeat the import step during boot.
7. Now it should boot and load the driver since the new driver will be signed by the latest key generated.

kernel headers do not always update if there are no changes.
Kernel-devel however should always match the installed kernel. What is the output of dnf list installed kernel*5.17.4*?

Ya I’ve skipped that on purpose as secure-boot instruction referred to /usr/share/doc/akmods/README.secureboot :

[user@fedora ~]$  cat /usr/share/doc/akmods/README.secureboot
Secure boot is a setup using UEFI firmware to check cryptographic
signatures on the bootloader and associated OS kernel to ensure they
have not been tampered with or bypassed in the boot process.

This verification can be extended to Kernel and its modules.
It's default case in Fedora with UEFI and Secure boot enabled.

Fedora Project have signed kernels and also main modules with Fedora
Key, but 3rd party modules as NVidia, VirtualBox, etc. need to be signed
to load.

Akmods provides an enroll process to sign third party modules with your
own keypair.

At the first run of the akmods.service, certificate and keypair will be
created with default value using the '/usr/sbin/kmodgenca' script.

You may also wish to manually create your own certificate and keypair
with `/usr/sbin/kmodgenca` command.
If '/usr/sbin/kmodgenca' is launched with the '-a' parameter, it will
use default values to complete the cacert.config file, and to generate
automatically the cert and the private key.
If '/usr/sbin/kmodgenca' is launched without parameters, user will be
prompted to complete manually the cacert.config file, then the cert and
the private key will be automatically generated.
If the cert and the private key files already exist,
'/usr/sbin/kmodgenca' will exit unless the '-f' parameter is used.

The cert and the private key are stored respectively in
/etc/pki/akmods/certs and /etc/pki/akmods/private/ directories.

Now you need to enroll the public key in MOK, this process is described
below.
- Ask MOK to enroll new keypair with certificate with the command
  `mokutil --import /etc/pki/akmods/certs/public_key.der`.
- mokutil asks to generate a password to enroll the public key.
- Rebooting the system is needed for MOK to enroll the new public key.
- On next boot MOK Management is launched and you have to choose
  "Enroll MOK".
- Choose "Continue" to enroll the key or "View key 0" to show the keys
  already enrolled.
- Confirm enrollment by selecting "Yes".
- You will be invited to enter the password generated above.
  WARNING: keyboard is mapped to QWERTY!
- The new key is enrolled, and system ask you to reboot.

You can confirm the enrollment of the new keypair once the system
rebooted with:
 `mokutil --list-enrolled | grep Issuer`
or with:
 `mokutil --test-key /etc/pki/akmods/certs/public_key.der`

This part:

At the first run of the akmods.service, certificate and keypair will be
created with default value using the '/usr/sbin/kmodgenca' script.

As for the instruction:

[user@fedora ~]$ dnf list installed kmod-nvidia*
Installed Packages
kmod-nvidia-5.17.3-302.fc36.x86_64.x86_64                                                    3:510.60.02-1.fc36                                                    @@commandline
[user@fedora ~]$ sudo dnf remove kmod-nvidia-5.17.4*
No match for argument: kmod-nvidia-5.17.4*
No packages marked for removal.
Dependencies resolved.
Nothing to do.
Complete!

[user@fedora ~]$ sudo kmodgenca
[user@fedora ~]$ sudo mokutil --import /etc/pki/akmods/certs/public_key.der
SKIP: /etc/pki/akmods/certs/public_key.der is already enrolled

As for the next command, I’ve tried it multiple times but same result:

[user@fedora ~]$ sudo akmods --force
Checking kmods exist for 5.17.4-300.fc36.x86_64            [  OK  ]
Files needed for building modules against kernel
5.17.4-300.fc36.x86_64 could not be found as the following
directories are missing:
/usr/src/kernels/5.17.4-300.fc36.x86_64/
/lib/modules/5.17.4-300.fc36.x86_64/build/Is the correct ke[FAILED]el package installed?
Checking kmods exist for 5.17.3-302.fc36.x86_64            [  OK  ]
[user@fedora ~]$ sudo akmods --force
Checking kmods exist for 5.17.4-300.fc36.x86_64            [  OK  ]
Files needed for building modules against kernel
5.17.4-300.fc36.x86_64 could not be found as the following
directories are missing:
/usr/src/kernels/5.17.4-300.fc36.x86_64/
/lib/modules/5.17.4-300.fc36.x86_64/build/Is the correct ke[FAILED]el package installed?
Checking kmods exist for 5.17.3-302.fc36.x86_64            [  OK  ]
[user@fedora ~]$ sudo akmods --force
Checking kmods exist for 5.17.4-300.fc36.x86_64            [  OK  ]
Files needed for building modules against kernel
5.17.4-300.fc36.x86_64 could not be found as the following
directories are missing:
/usr/src/kernels/5.17.4-300.fc36.x86_64/
/lib/modules/5.17.4-300.fc36.x86_64/build/Is the correct ke[FAILED]el package installed?
Checking kmods exist for 5.17.3-302.fc36.x86_64            [  OK  ]

[user@fedora ~]$ dnf list installed kmod-nvidia*
Installed Packages
kmod-nvidia-5.17.3-302.fc36.x86_64.x86_64                                                    3:510.60.02-1.fc36                                                    @@commandline

As you see since import was skipped so after restarting dkms page didnt came up to enroll the keys and for the dnf list installed kmod-nvidia* got the same result after reboot.
Other info:

[user@fedora ~]$ dnf list installed kernel*5.17.4*
Installed Packages
kernel.x86_64                         5.17.4-300.fc36           @updates-testing
kernel-core.x86_64                    5.17.4-300.fc36           @updates-testing
kernel-headers.x86_64                 5.17.4-300.fc36           @updates-testing
kernel-modules.x86_64                 5.17.4-300.fc36           @updates-testing
kernel-modules-extra.x86_64           5.17.4-300.fc36           @updates-testing

After all of that I also did Uninstall the NVIDIA driver and Recover from NVIDIA installer steps from RPM Fusion.
After that :

[user@fedora ~]$ sudo rm  -r  /etc/pki/akmods/*
[user@fedora ~]$ sudo /usr/sbin/kmodgenca
sudo: /usr/sbin/kmodgenca: command not found
[user@fedora ~]$ sudo dnf install akmod-nvidia
Installed:
  akmod-nvidia-3:510.60.02-1.fc36.x86_64                    akmods-0.5.7-7.fc36.noarch                                     annobin-docs-10.66-2.fc36.noarch                            
  annobin-plugin-gcc-10.66-2.fc36.x86_64                    bison-3.8.2-2.fc36.x86_64                                      debugedit-5.0-3.fc36.x86_64                                 
  dwz-0.14-2.fc35.x86_64                                    ed-1.14.2-12.fc36.x86_64                                       efi-srpm-macros-5-5.fc36.noarch                             
  egl-gbm-1.1.0-2.fc36.x86_64                               egl-wayland-1.1.9-4.fc36.x86_64                                elfutils-libelf-devel-0.186-3.fc36.x86_64                   
  fakeroot-1.27-1.fc36.x86_64                               fakeroot-libs-1.27-1.fc36.x86_64                               flex-2.6.4-10.fc36.x86_64                                   
  fonts-srpm-macros-1:2.0.5-7.fc36.noarch                   fpc-srpm-macros-1.3-5.fc36.noarch                              ghc-srpm-macros-1.5.0-6.fc36.noarch                         
  gnat-srpm-macros-4-15.fc36.noarch                         go-srpm-macros-3.0.15-1.fc36.noarch                            http-parser-2.9.4-6.fc36.x86_64                             
  info-6.8-3.fc36.x86_64                                    kernel-devel-5.17.3-302.fc36.x86_64                            kernel-devel-matched-5.17.3-302.fc36.x86_64                 
  kernel-srpm-macros-1.0-14.fc36.noarch                     kmodtool-1.1-3.fc36.noarch                                     koji-1.28.0-1.fc36.noarch                                   
  libgit2-1.3.0-2.fc36.x86_64                               lua-srpm-macros-1-6.fc36.noarch                                m4-1.4.19-3.fc36.x86_64                                     
  nim-srpm-macros-3-6.fc36.noarch                           nvidia-settings-3:510.60.02-1.fc36.x86_64                      ocaml-srpm-macros-6-6.fc36.noarch                           
  openblas-srpm-macros-2-11.fc36.noarch                     openssl-1:3.0.2-1.fc36.x86_64                                  openssl-devel-1:3.0.2-1.fc36.x86_64                         
  package-notes-srpm-macros-0.4-14.fc36.noarch              patch-2.7.6-16.fc36.x86_64                                     perl-srpm-macros-1-43.fc36.noarch                           
  python-srpm-macros-3.10-17.fc36.noarch                    python3-decorator-5.1.1-2.fc36.noarch                          python3-gssapi-1.7.2-2.fc36.x86_64                          
  python3-koji-1.28.0-1.fc36.noarch                         python3-progressbar2-3.53.2-4.fc36.noarch                      python3-pygit2-1.7.1-3.fc36.x86_64                          
  python3-requests-gssapi-1.2.3-4.fc36.noarch               python3-rpmautospec-0.2.5-1.fc35.noarch                        python3-utils-2.5.6-5.fc36.noarch                           
  qt5-srpm-macros-5.15.3-1.fc36.noarch                      redhat-rpm-config-212-1.fc36.noarch                            rpm-build-4.17.0-10.fc36.x86_64                             
  rpmautospec-rpm-macros-0.2.5-1.fc35.noarch                rpmdevtools-9.6-1.fc36.noarch                                  rust-srpm-macros-21-1.fc36.noarch                           
  xorg-x11-drv-nvidia-3:510.60.02-1.fc36.x86_64             xorg-x11-drv-nvidia-cuda-libs-3:510.60.02-1.fc36.x86_64        xorg-x11-drv-nvidia-kmodsrc-3:510.60.02-1.fc36.x86_64       
  xorg-x11-drv-nvidia-libs-3:510.60.02-1.fc36.x86_64        xorg-x11-drv-nvidia-power-3:510.60.02-1.fc36.x86_64            zlib-devel-1.2.11-31.fc36.x86_64                            

which installed the kernel-devel-5.17.3-302.fc36.x86_64 .
After this I’ve booted into 5.17.3 and did the:

sudo /usr/sbin/kmodgenca
sudo mokutil --import /etc/pki/akmods/certs/public_key.der

which did work (kinda) after enrolling the key I’ve booted into 5.17.3 and it seemed that the driver is installed my second monitor(connected directly to nvidia via hdmi) was working and nvidia settings was showing the driver version and everything but my laptop screen(main) wasnt working also my wasnt working either.
rebooting into 5.17.4 resulted in same error that I’ve got at first place.
so I think its RPM Fusion problem which is not supporting drivers for kernel 5.17.4 (just a guess).

Again thank you for help .

Thank you for the detailed explanation.

I am not sure where you got the 5.17.4 kernel since it does not appear to have been released yet for upgrades for F36. I just attempted an update and did not receive that kernel. Maybe it came from the testing repo and that could explain why the module for that kernel does not get built.

For at least now just boot with the 5.17.3 kernel and you should be good to go.

Fedora 36 has an option in gnome-software to enable third-party licensed software including NVidia drivers. I don’t know if you need a clean install as the repositories will be already configured in yum.d if you chose the option in the installer.

I had the same issue when updated to 5.17.4, seems the kernel-devel for this version was not downloading correctly for akmods.

I had to manually install it from here kernel-5.17.4-300.fc36 | Build Info | koji
Direct link: https://kojipkgs.fedoraproject.org//packages/kernel/5.17.4/300.fc36/x86_64/kernel-devel-5.17.4-300.fc36.x86_64.rpm

sudo dnf install kernel-devel-5.17.4-300.fc36.x86_64.rpm

Followed the instructions here, skipping point 6 Automatically sign NVidia Kernel module in Fedora 35 - Monosoul's Dev Blog

To sum it up:
I did yet another fresh install and disabled the testing repo(s) it was enabled by default (I guess because F36 is in beta).
And did a dnf update (this time 5.17.3 was install) after that followed the RPM Fusion instruction
which resulted with same error.
And after that did what @computersavvy suggested which worked just fine.

P.S. I’m done with installing nvidia driver with secure boot but my external monitor was not working which I’ll follow on another topic. (some info)

Thank you everyone for your time.

I’m using NVidia GTX Cuda enabled card on a desktop device … Fedora and RHEL made things so complicated with little support for ROS2 and other things so I went back to Ubuntu enabling dedicated repositories. Installing Fedora on Surface Go using 36 beta, I saw enabling third party software on installation and options in gnome-software NVidia drivers, Google Chrome and Steam. As EPEL and RPM Fusion have direct link to Fedora I thought that just from Fedora could make things easy … that’s all …

This is very generic and for those who are not familiar with the term (myself included) the acronym ‘ROS2’ is just noise.

ROS is Robot Operating System => www.ros.org.

I use only sudo dnf install almod-nvidia and it works perfectly on Fedora 35 with secure boot. Ensure that you have /boot and /boot/efi

I just installed from scratch F36 and install de nvidia drivers:

sudo dnf install akmod-nvidia*510*

But when I check after reboot in Settings-About then I see in Graphics:

Mesa Intel® UHD Graphics 630 (CFL GT2) / Mesa Intel® UHD Graphics 630 

Why? In F35 after execute the same command and of course after reboot my nvidia driver appeared.

Try sudo dnf install akmod-nvidia.

Did the response tell you it installed properly?

Honestly, I dont recall seeing any error after the instalation.

Slightly complicated … open source, close source … visit Red Hat site https://www.redhat.com/en/partners/nvidia about high level assets.

That reply is from an extremely outdated post. Please let us not muddy the waters here when the thread already has a solution marked. Ubuntu already has released 22.04 LTS and that post is likely about 2 years old.

Referencing an old post on RedHat when the discussion is about Fedora 36 is way off the mark.