Nvidia drivers with secure boot no longer working and cannot enroll new key

Hello, everyone!
There are was a post about problem with new drivers and secure boot - it stopped working and solution was found, but it doesn’t work for me. Here u can find previous post.

The solution is to reinstall akmod and resign the drivers. But i cannot resign drivers mokutil fails with an error: “Failed to enroll new keys”

I assume that you have secureboot disabled at the moment. If not then please boot to the bios setup menu and disable secure boot so the drivers can be loaded while working on getting the modules signed and bios to properly allow loading them.

Please post the output from the following.
cat /sys/firmware/efi/efivars
then add
dnf list installed \*nvidia\*
and
uname -r

That info should allow us to start.

I have secureboot enabled at the moment. Should i try recreate the key and resigned it with secureboot disabled? I have tried it before it doesn’t help but i can to try one more, if it needed.

[anatoly@fedora ~]$ cat /sys/firmware/efi/efivars
cat: /sys/firmware/efi/efivars: Is a directory
[anatoly@fedora ~]$ cd /sys/firmware/efi/efivars
[anatoly@fedora efivars]$ ls
AmiHardwareSignatureSetupUpdateCountVar-81c76078-bfde-4368-9790-570914c01a65
AMITCGPPIVAR-a8a2093b-fefa-43c1-8e62-ce526847265e
ArmouryCrateStaticField-607005d5-3f75-4b2e-98f0-85ba66797a3e
AsusCountryCodeIntel-607005d5-3f75-4b2e-98f0-85ba66797a3e
ASUSCPUMSR-607005d5-3f75-4b2e-98f0-85ba66797a3e
AsusEDID-607005d5-3f75-4b2e-98f0-85ba66797a3e
AsusGpnvVersion-607005d5-3f75-4b2e-98f0-85ba66797a3e
AsusManufactureVersion-607005d5-3f75-4b2e-98f0-85ba66797a3e
AsusPostLogoSound-607005d5-3f75-4b2e-98f0-85ba66797a3e
AsusVariable-607005d5-3f75-4b2e-98f0-85ba66797a3e
AuditMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
BiosGuardCapsuleVariable-368b3153-563d-4610-8d94-47a9fa8c4c16
BitLockerStatus-607005d5-3f75-4b2e-98f0-85ba66797a3e
Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c
Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c
Boot0003-8be4df61-93ca-11d2-aa0d-00e098032b8c
Boot0004-8be4df61-93ca-11d2-aa0d-00e098032b8c
Boot0005-8be4df61-93ca-11d2-aa0d-00e098032b8c
BootCurrent-8be4df61-93ca-11d2-aa0d-00e098032b8c
BootMediaInfo-5bd6b672-b6ea-4d6a-b590-18a932b78794
BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c
CAL1-91b89306-5bac-4ae0-aab3-207ec12e989b
CNFG-91b89306-5bac-4ae0-aab3-207ec12e989b
ConIn-8be4df61-93ca-11d2-aa0d-00e098032b8c
ConInDev-8be4df61-93ca-11d2-aa0d-00e098032b8c
ConOut-8be4df61-93ca-11d2-aa0d-00e098032b8c
ConOutDev-8be4df61-93ca-11d2-aa0d-00e098032b8c
CpuSetupVolatileData-b08f97ff-e6e8-4193-a997-5e9e9b0adb32
CurrentPolicy-77fa9abd-0359-4d32-bd60-28f4e78f784b
db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c
dbt-d719b2cb-3d3a-4596-a3bc-dad00e67656f
dbtDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c
dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
dbxDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c
DefaultBootOrder-45cf35f6-0d6e-4d04-856a-0370a5b16f53
DeployedMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
DeploymentModeNv-97e8965f-c761-4f48-b6e4-9ffa9cb2a2d6
_DMI-91b89306-5bac-4ae0-aab3-207ec12e989b
ErrOut-8be4df61-93ca-11d2-aa0d-00e098032b8c
FastBootOption-b540a530-6978-4da7-91cb-7207d764d262
HiiDB-1b838190-4625-4ead-abc9-cd5e6af18fe0
HwErrRecSupport-8be4df61-93ca-11d2-aa0d-00e098032b8c
InitSetupVariable-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9
IntelRstFeatures-ca2fc9c8-71e7-4f72-b433-c284456ff72b
IntelVmdOsVariable-61a14fe8-4dab-4a19-b1e3-97fb23d09212
KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
KEKDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c
LastBoot-b540a530-6978-4da7-91cb-7207d764d262
LastBootFailed-b540a530-6978-4da7-91cb-7207d764d262
MaximumTableSize-4b3082a3-80c6-4d7e-9cd0-583917265df1
MemoryOverwriteRequestControl-e20939be-32d4-41be-a150-897f85d49829
MemoryOverwriteRequestControlLock-bb983ccf-151d-40e1-a07b-4a17be168292
MFG0-91b89306-5bac-4ae0-aab3-207ec12e989b
MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23
MokListTrustedRT-605dab50-e046-4300-abb6-3dd810dd8b23
MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23
MonotonicCounter-01368881-c4ad-4b1d-b631-d57a8ec8db6b
MotherBoardHealth-ea1fcaee-3a77-4bb8-9b98-518e75d29a99
MyasusAutoInstall-607005d5-3f75-4b2e-98f0-85ba66797a3e
NBGopPlatformData-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9
OA30-91b89306-5bac-4ae0-aab3-207ec12e989b
OfflineUniqueIDEKPubCRC-eaec226f-c9a3-477a-a826-ddc716cdc0e3
OfflineUniqueIDEKPub-eaec226f-c9a3-477a-a826-ddc716cdc0e3
OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c
PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
PKDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c
PlatformLang-8be4df61-93ca-11d2-aa0d-00e098032b8c
RemapportPathMapping-e5e0e2b2-5f15-4a5d-b208-42535541c680
RstVmdV-193dfefa-a445-4302-99d8-ef3aad1a04c6
SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23
SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
SetupCpuFeatures-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9
SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
SIDSUPPORT-7d3dceee-cbce-4ea7-8709-6e552f1edbde
SignatureSupport-8be4df61-93ca-11d2-aa0d-00e098032b8c
SmbiosEntryPointTable-4b3082a3-80c6-4d7e-9cd0-583917265df1
SmbiosEntryPointTableF000-4b3082a3-80c6-4d7e-9cd0-583917265df1
SmbiosScratchBuffer-4b3082a3-80c6-4d7e-9cd0-583917265df1
SmbiosV3EntryPointTable-4b3082a3-80c6-4d7e-9cd0-583917265df1
TbtSetupVolatileData-ec87d643-eba4-4bb5-a1e5-3f3e36b20da9
Timeout-8be4df61-93ca-11d2-aa0d-00e098032b8c
TPMPERBIOSFLAGS-7d3dceee-cbce-4ea7-8709-6e552f1edbde
TpmServFlags-7d3dceee-cbce-4ea7-8709-6e552f1edbde
TpvSetup-1c3483d5-1e7e-4450-9806-dede002c974b
UIT_DATA-fe47349a-7f0d-4641-822b-34baa28ecdd0
UIT_HEADER-fe47349a-7f0d-4641-822b-34baa28ecdd0
UnlockIDCopy-eaec226f-c9a3-477a-a826-ddc716cdc0e3
VendorKeys-8be4df61-93ca-11d2-aa0d-00e098032b8c
WriteOnceStatus-4b3082a3-80c6-4d7e-9cd0-583917265df1

[anatoly@fedora efivars]$ dnf list installed *nvidia*
Installed Packages
akmod-nvidia.x86_64 3:535.104.05-1.fc38 @rpmfusion-nonfree-nvidia-driver
kmod-nvidia-6.4.12-200.fc38.x86_64.x86_64 3:535.104.05-1.fc38 @@commandline
kmod-nvidia-6.4.15-200.fc38.x86_64.x86_64 3:535.104.05-1.fc38 @@commandline
nvidia-persistenced.x86_64 3:535.104.05-1.fc38 @rpmfusion-nonfree-nvidia-driver
nvidia-settings.x86_64 3:535.104.05-1.fc38 @rpmfusion-nonfree-nvidia-driver
xorg-x11-drv-nvidia.x86_64 3:535.104.05-1.fc38 @rpmfusion-nonfree-nvidia-driver
xorg-x11-drv-nvidia-cuda.x86_64 3:535.104.05-1.fc38 @rpmfusion-nonfree-nvidia-driver
xorg-x11-drv-nvidia-cuda-libs.x86_64 3:535.104.05-1.fc38 @rpmfusion-nonfree-nvidia-driver
xorg-x11-drv-nvidia-kmodsrc.x86_64 3:535.104.05-1.fc38 @rpmfusion-nonfree-nvidia-driver
xorg-x11-drv-nvidia-libs.x86_64 3:535.104.05-1.fc38 @rpmfusion-nonfree-nvidia-driver
xorg-x11-drv-nvidia-power.x86_64 3:535.104.05-1.fc38 @rpmfusion-nonfree-nvidia-driver

[anatoly@fedora efivars]$ uname -r
6.4.15-200.fc38.x86_64

Now all we seem to need is to fix the issue with signing the modules and importing the key into the bios.

  1. create a new key with sudo kmodgenca -a -f

  2. import that new key with
    sudo mokutil --import /etc/pki/akmods/certs/public_key.der
    The password is a one-time-use password that is created here and entered into bios during the actual reboot.

  3. reboot and import the key into the bios following the steps indicated in the /usr/share/doc/akmods/README.secureboot file

  4. Once the import is completed and the reboot is finished verify the key has been imported as also indicated in that file.

  5. Now the kernel modules must be rebuilt and signed with the key just generated.
    a. sudo dnf remove kmod-nvidia-$(uname -r)
    b. sudo akmods --force

  6. after step 5 completes and the prompt returns wait about another minute then reboot
    a. run mokutil --sb-state to confirm the status of secure boot. If secure boot is enabled then just reboot.
    b. if secure boot is disabled then during the reboot enter the bios setup and set secure boot to enabled.

The steps above should properly import the new key into bios, build the modules already signed with the newly created key, and load them during the last boot. Proper loading of the modules can be verified with lsmod | grep nvidia which should show 4 or more lines output.

It failed on the second step((

Check your crypto-policies and the state of Secure Boot:

update-crypto-policies --show
update-crypto-policies --is-applied
update-crypto-policies --check
mokutil --sb-state

Try enabling Secure Boot before enrolling the MOK key.

Some Bios has options to see and delete registered keys. I have used it couple of times just need to be careful that don’t delete all or wrong keys since then you loose manufacturer/secure boot keys too

Marko thanks, i don’t know that is legal to do but i deleted all forbidden keys and after that everything works. Thanks.

your welcome and glad that helped usually this is last resort i do if i have issues on these kind of things

1 Like