Signing NVIDIA drivers breaks them

dzmunk · August 30, 2020, 1:30am

In order to not disable secure boot I try to sign the NVIDIA drivers by creating a X.509 key pair by the following:

openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config x509-configuration.ini -outform DER -out public_key.der -keyout private_key.priv

Using configuration.ini as:

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts

[ req_distinguished_name ]
O = name
CN = name
emailAddress = ...

[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

Enroll the key in root:

mokutil --import public_key.der

and sign after reboot and append key in BIOS:

/usr/src/linux/scripts/sign-file sha512 ~/private_key.priv  ~/public_key.der  nvidia.ko
/usr/src/linux/scripts/sign-file sha512 ~/private_key.priv  ~/public_key.der  nvidia-uvm.ko

However, that breaks the drivers that otherwise works when simply disabling secure boot.
When calling nvidia-settings it will not open and I get this error: ERROR unable to load info from any available system

Am I missing something?

t0xic0der · August 30, 2020, 7:42am

Could you point me towards the source of these drivers?

dzmunk · August 30, 2020, 5:37pm

The modules are at /usr/lib/modules/$(uname -r)/extra/nvidia

The driver is installed using sudo dnf install akmod-nvidia

kwizart · August 30, 2020, 6:22pm

There are copr repositories for kmodtool akmods that has support for automatically signing any akmod for secure boot.
I hope you can find them and this will help…

(There are certainly many things to improves in this process).