Switching from official NVIDIA driver to rpmfusion package

I installed the proprietary NVIDIA driver from their site using the .run package.
The reason for this is that I found in the past the support for hardware decoding seems to be a bit problematic when using the rpm fusion package.

For instance with proprietary driver OBS works out of the box, rpmfusion not so much in my experience.
Having said this I have found some other issues on my system at the moment, things are locking up, some applications won’t run at all, etc.
This is after I updated the Kernel today, so I am still figuring it all out.
I am hoping to eliminate that the problem is related to the NVIDIA driver package by replacing the proprietary driver with the one from RPM fusion.

I also have secure boot enabled on my F40 install, I have the dkms certs registered with mokutil for 3rd party drivers and package signing.
I have the current driver signed and booting successfully with Secure boot.
I am dual booting with Windows, hence the secure boot.

What is the proper process to install the rpm fusion package, considering that secure boot is enabled and keys were generated via mokutil and that dkms certs are also registered with mokutil…?

My question is how do i ensure that the rpm fusion Nvidia package I install is registered with secure boot, and make sure that nouveau is blacklisted.?

1 Like

You should be following Howto/NVIDIA - RPM Fusion and it tells you to read Howto/Secure Boot - RPM Fusion to setup signing of the driver.

The rpmfusion install adds the blacklisting config as I recall.
You should see that on the kernel command line.

Note rpmfusion uses akmods not dkms. Check that akmods knows about your cert.


Howto/Secure Boot - RPM Fusion to setup signing of the driver.

I have done this already, my OS has secure boot enabled.

Note rpmfusion uses akmods not dkms. Check that akmods knows about your cert.

Is it the same key that I used for secure boot of the OS that will be signing the rpmfusion packages?

How do I check to see that akmods knows about the cert?

The Secure Boot Please have a look on Howto/Secure Boot in order to sign the nvidia kmod. You will have to enter the BIOS/EFI to import your self generated key.

This is my source of confusion , it states that I have to import the self signed certificate.

1 Like

The process is to create a personal key for akmod to use to sign the nvidia drivers.
For that to work you have to add your personal key to the BIOS, as the docs explain.

After you do these steps then when the nvidia driver is built akmods will sign it with your personal key.

Now when you boot the system the nvidia driver can be loaded by the kernel.

the instructions for dkms and signing are different than the instructions for akmods and signing.

Following the instructions at rpmfusion or in the file located at /usr/share/doc/akmods/README.secureboot will handle the signing key and importing it into the bios. That key then works for all kernel modules that are managed by akmods.

1 Like

The below is from the doc you linked…

At the first run of the akmods.service, certificate and keypair will be
created with default value using the ‘/usr/sbin/kmodgenca’ script.

You may also wish to manually create your own certificate and keypair
with /usr/sbin/kmodgenca command.

I didn’t have to generate a new key for the NVIDIA driver, I reused the same one I generated for secure boot. Unless I misunderstand the whole process and that in fact was not the case.

This was the process I used to enable secure boot and install nvidia drivers on my system.

Enabled secure boot:

  1. sudo dnf install kmodtool akmods mokutil openssl
  2. sudo kmodgenca -a
  3. sudo mokutil --import /etc/pki/akmods/certs/public_key.der
  4. sudo reboot
  5. Enrolled the key

After enabling secure boot on Fedora I installed tne NVIDIA driver:

  1. sudo dnf install gcc kernel-headers kernel-devel akmod-nvidia xorg-x11-drv-nvidia xorg-x11-drv-nvidia-libs xorg-x11-drv-nvidia-libs.i686 sudo dnf install xorg-x11-drv-nvidia-cuda
  2. sudo akmods --force
  3. sudo dracut --force
  4. sudo reboot

Your first 5 steps have nothing to do with secure boot directly, but instead deal with the creation of the signing key and enrolling it into bios so the signed kernel modules can later be loaded when secure boot is enabled. Steps 2 - 5 are the same steps that are in the instructions in the file /usr/share/doc/akmods/README.secureboot.

Your last 4 steps have redundancy in steps 2 & 3 since those processes are run automatically with step 1 and waiting for about 5 minutes after the installation of step 1 is completed before rebooting.

You actually did the installation properly and it seems to have worked for you.


1 Like

Thanks for clearing that up, I thought as much but wasn’t 100% sure.

I do prefer step 2 & 3 and figured they might be redundant but I have caught myself rebooting too fast in the past and messing up the whole process of registering the modules.
So I didn’t mind adding those steps to my process.

I actually did about 15 re-installs of Fedora in the last few weeks trying to figure out the instability of my system. I think I might have found my culprit, just not 100% sure yet.
I think the recent kernel exposed some hardware instability.

I also noticed after the recent install and secure boot enablement,
that when I run mokutil -l I have some old keys sitting in the bios.
I have to now match them up to my existing key in Fedora and remove the others.
I assume if the above is all I enrolled I should only have one key with the hostname.

Also look at https://github.com/dell/dkms?tab=readme-ov-file#secure-boot.

It shows step by step what happens after you run mokutil --import and reboot.

1 Like