Nvidia drivers with secure boot no longer working

I’ve been experiencing an issue with my install of the Nvidia drivers via the akmod-nvidia package. Starting sometime in the last few weeks, I’ve been getting the “…falling back to nouveau…” message when booting up Fedora on my secure boot laptop and the Nvidia drivers are failing to work.

I’m dual booting Fedora 38 and Windows 11. I installed the Nvidia drivers soon after upgrading to Fedora 38 in mid-May this year using the RPM Fusion How-to for secure boot machines (generating a key with kmodgenca, enrolling with mokutil and installing the drivers with akmod-nvidia). The drivers installed and ran fine, I could see my Nvidia GPU in the Nvidia Settings application and the dGPU was recognized as expected. Then as I stated above, sometime in the last few weeks the drivers have been falling back to nouveau on booting up. I update Fedora regularly, so my guess is that the culprit is a kernel or Nvidia driver update, but I’m not sure how to resolve this issue, especially since it was working fine until it wasn’t.

The following are things I’ve tried to resolve this issue:

  • Removing Nvidia packages with sudo dnf remove *nvidia* and reinstalling via sudo dnf install akmod-nvidia.

  • Running sudo akmods --force
    This results in a FAILED message:

    Checking kmods exist for 6.3.8-200.fc38.x86_64             [  OK  ]
    Building and installing nvidia-kmod                        [FAILED]
    Building rpms failed; see /var/cache/akmods/nvidia/530.41.03-1-for-6.3.8-200.fc38.x86_64.failed.log for details
    
    Hint: Some kmods were ignored or failed to build or install.
    You can try to rebuild and install them by by calling
    '/usr/sbin/akmods --force' as root.
    

    I did try running /usr/sbin/akmods --force as root but there was no change, the same FAILED message showed again.

  • Removing Nvidia packages, removing the enrolled key with mokutil and re-enrolling the key generated with kmodgenca, then installing akmod-nvidia.

Has anyone else experienced a recent failure of the Nvidia drivers to load on secure boot using akmod-nvidia? Any help with this would be much appreciated.

1 Like

This is incorrect since it also removes the nvidia-gpu-firmware package which is required for the GPU.
Before going any further please do sudo dnf reinstall linux-firmware to make sure all the firmware packages are installed and up to date then reboot to ensure the gpu firmware is loaded. This may be all that is required.

The symptoms and timing seem to indicate that something may be off with secure boot.
Please show us the output of mokutil --sb-state. If secure boot is enabled and for some reason the modules are not properly signed or not signed with the proper key they will not load. Is it possible there may have been a firmware update on your computer?

To test the theory of the key missing or incorrect please run
mokutil --list-enrolled | grep Issuer which should show the personal key you previously enrolled.
Then run sudo mokutil --test-key /etc/pki/akmods/certs/public_key.der to test the validity of the key on your system related to the one in bios.

If either or both of those fail then it seems necessary to repeat the creation and enroll the new key created. Follow the same steps previously used but use sudo kmodgenca -a -f to force creating a new key and overwrite any older keys already there. Then the mokutil --import steps will work with the newer key just created.

Once that is done then it is necessary to force a rebuild of the modules with the new key.
sudo dnf remove kmod-nvidia-6.3.8* followed by sudo akmods --force should manage that.

1 Like

I was able to get the Nvidia drivers to work again, thank you for your help. Ultimately I think an important part of the solution was forcing the creation of a new key using sudo kmodgenca -a -f. It’s likely that I had run a device firmware update during the period I noticed the issue, would this firmware update have been the issue?

These were my steps in case anyone else may have a similar issue:

  • I ran sudo dnf reinstall linux-firmware and rebooted.
  • mokutil --sb-state showed secure boot is enabled.
  • Both mokutil --list-enrolled | grep Issuer and sudo mokutil --test-key /etc/pki/akmods/certs/public_key.der showed the proper key and didn’t appear to generate a failure.
  • Ran sudo dnf remove akmod-nvidia.
  • Ran sudo dnf reinstall linux-firmware once more and rebooted.
  • Deleted the existing key with sudo mokutil --delete /etc/pki/akmods/certs/public_key.der and rebooted, deleting the key through the mok startup prompts.
  • Forced the creation of a new key with sudo kmodgenca -a -f.
  • Enrolled the new key with sudo mokutil --import /etc/pki/akmods/certs/public_key.der and rebooted to go through the mok startup prompts.
  • Installed Nvidia drivers with sudo dnf install akmod-nvidia and waited until the machine’s CPU utilization increased then decreased before running sudo akmods --force (about 3-5 mins). This time this last command returned OK.
  • Rebooted the machine.
  • Checked Nvidia settings and now I can see my dGPU.

Now my dGPU is working with the Nvidia drivers.

You did a lot of unnecessary extra steps instead of the simple process I suggested, but your way seems to have worked as well.

I am surprised that both the test commands showed things working properly with the original keys. Having removed the nvidia-gpu-firmware package is certain to cause failure of loading the drivers since the GPU could not be recognized without the proper firmware.

In any case good work. :+1:

I forgot to mention with the first time issuing sudo dnf reinstall linux-firmware and rebooting, I still received the “…falling back to nouveau” message, so I proceeded to reinstall with a fresh key. Thankfully something here worked.

1 Like

Hello i have problems with enroll new keys. Don’t you have this problems? I tried to delete keys thats doesn’t work, i tried to reset mokutil that doesn’t work too(((
Can you help me?

I believe that message shows that the key is already enrolled.
It can be checked with mokutil --test-key /etc/pki/akmods/certs/public_key.der

If that shows failure then one may need to redo the steps outlined in /usr/share/doc/akmods/README.secureboot from the beginning and create and import a new key.

One may use the commands at the bottom of that readme to verify the key is already imported and valid
mokutil --list-enrolled | grep Issuer
or with:
mokutil --test-key /etc/pki/akmods/certs/public_key.der

The last one verifies that the existing key is enrolled in the bios and if not then one would need to generate a new key. Otherwise it seems something may be wrong with the way the module was created and signed.

If the key was already enrolled then it seems quite possible that the module was compiled before the key was generated and needs to be recompiled.

A new module may be created and signed by doing
sudo dnf remove kmod-nvidia-6.3.XX-*
where the XX represents the kernel version currently booted (available with uname -r).
Following that one runs sudo akmods --force to rebuild and install the drivers new.
Finally a reboot should now load the newly compiled drivers.

I reinstalled akmod multiple times it doesn’t help((
Drivers are working fine but only without secure boot, i cannot sign them((

Hello guys, issue still is unsolved, can some one help me?

To sign the driver modules the steps listed in /usr/share/doc/akmods/README.secureboot must be followed exactly to import the key into bios. Your image in post 8 shows that a key was not enrolled into the bios so even a signed module cannot be loaded.

I would create a new key with sudo kmodgenca -a -f to force building a new key.
Then import it as instructed and verify it is properly imported as you attempted above.

The instructions in post 7 are still valid.

Note that the original problem here was solved and this thread was marked as solved at post 2

If you are still having problems it would be best that you open your own thread for the problem instead of continuing to post onto an already solved thread. It will get more attention that way.