Loading keys to system key ring

Hello Folks,

I’m trying to sign my nvidia drivers and generated a public and private key like mentioned at the fedora documentation.
I also enrolled it and signed the kernel at installation of nvidia drivers, but I think the key wont load into the system key ring.

sudo keyctl list %:.builtin_trusted_keys

looks like this:

1 key in keyring:
161775595: —lswrv 0 0 asymmetric: Fedora kernel signing key…


sudo keyctl list %:.secondary_trusted_keys

looks like this:

2 keys in keyring:
435001795: —lswrv 0 0 keyring: .builtin_trusted_keys
623612370: —lswrv 0 0 keyring: .machine

So it looks like, my key wont load into the key ring, but I dont get why.
(Secure boot is enabled)

Can anyone help me please?

Thank you in advanced!

Check the output:

mokutil --sb-state; sudo mokutil -t /etc/pki/akmods/certs/public_key.der

See also: Enrolling MOK certs

For modules built by akmods, like the nvidia drivers, the steps in /usr/share/doc/akmods/README.secureboot are all that are required to properly sign the modules and enable bios to verify them.

The command kmodgenca that is given in that readme creates the file referenced by Vladislav above.

Note that if secure boot is enabled the enrolled key is checked against the module, if secure boot is disabled the module is not checked.

Hey, thank you both for your fast reply!

Sorry, I think I was a bit unclear.
I need to use the official nvidia driver from their website, because of Davinci Resolve, so I made own keys using openssl.

sudo mokutil --list-enrolled

is also listing my key and if I test it with:

sudo mokutil --test-key /etc/pki/ca-trust/source/anchors/nvidia-public-key.der

Output is:

/etc/pki/ca-trust/source/anchors/nvidia-public-key.der is already enrolled

So its definitely enrolled…

Omg, I found the issue!
Its not my foult but I think of Nvidia?

Problem is, all modules were installed to /lib/modules/6.2.9-200.fc37.x86_64/extra/
But if fedora trys to start the modules, it looks at /lib/modules/6.2.9-200.fc37.x86_64/kernel/drivers/video/

So I simply copied all modules to this folder and it works, also after a restart.

what the hack :smile:

I’m not sure if its a problem of fedora, not looking at the right folders or of nvidia?
Maybe I can report this issue to one of them.

(but the key is still not listet at builtin_trusted_keys and secondary_trusted_keys :thinking:)

You probably missed:

sudo depmod -a

Using DKMS or akmods should automate the process.

1 Like


It might have helped if the Fedora documentation mentioned the use of dkms to install 3rd party drivers from source. For someone who has never build modules from source, the need for depmod is well-hidden:

The above mentioned documentation is Fedora-specific, and refers to Module HOWTO which is a more generic linux document.
depmod gets mentioned in the list of modutils programs under LKM Utilties as:


    Determine interdependencies between LKMs.