Unable to load nvidia drivers with secure boot enabled

I’m enrolling the MOK key as explained in the RPM Fusion but I’m unable to use NVidia drivers while secure boot is enabled.

Motherboard is Gigabyte B450, BIOS is up to date.

Steps I follow

  1. Secure boot disabled.
  2. Secure boot mode is custom.
  3. Running sudo mokutil --import /etc/pki/akmods/cers/public_key.der and giving it a password.
  4. Reboot.
  5. When system is booting I see MOK management, the options are continue without doing any changes, Enroll MOK, Enroll key from disk, Enroll hash from disk. I’m selecting Enroll MOK.
  6. In the Enroll MOK menu, there’s View key 0 and Continue. View key 0 shows the details of my key and I make sure it’s the key I imported.
  7. Pressing continue and yes in the next menu.
  8. MOK enroll process is done and now there’s Reboot, enroll key from disk and enroll hash from disk options available. I’m selecting reboot as my job with MOK management is done.
  9. After that I’m going into BIOS to check secure boot keys, the BIOS shows me how many of a specific type of key is registered. There is no change in the amount of keys before and after importing MOK.
  10. Enabling secure boot to see if it works but it doesn’t, Linux is booting with Nouevau.

Check the output:

sudo mokutil -t /etc/pki/akmods/certs/public_key.der

See also: Tree - rpms/akmods - src.fedoraproject.org

MOK keyse are handled by the shim and not the UEFI firmware. You get the list of enrolled MOK keys by this command

 mokutil --list-enrolled 

I did all those steps correctly, except running kmodgenca because it was already generated. I generated my own with kmodgenca -a -f and enrolled it, nothing have changed. I’m still unable to load nvidia drivers with secure boot enabled.

$ mokutil --test-key /etc/pki/akmods/certs/public_key.der
/etc/pki/akmods/certs/public_key.der is already enrolled

In that case you should rebuild the Nvidia modules so it can be signed with your new key. They might have been signed with the old key and as that key was not enrolled it won’t work.

I am not familiar with Nvidia, but for VirtualBox you can check if the modules was signed and by which key like this

modinfo /usr/lib/modules/6.3.11-200.fc38.x86_64/extra/VirtualBox/vboxnetadp.ko.xz

The modules for Nvidia is probably also somewhere to be found in /usr/lib/modules/6.3.11-200.fc38.x86_64/extra or similar for kernel version other than “6.3.11-200.fc38.x86_64”.

1 Like

I already used the already existing (possibly generated while installing akmod-nvidia) MOK key and they didn’t work either. Can you tell me how I can manually sign nvidia modules? modinfo is probably not for that.

Regenerate the akmods key, then rebuild and reinstall the module package:

sudo -u akmods akmodsbuild -o /tmp /usr/src/akmods/SOURCE_NAME.latest
sudo rpm --force -i /tmp/PACKAGE_NAME.rpm

To rebuild the nvidia modules the following seems the procedure.

  1. run dnf list installed kmod-nvidia-* to see what nvidia kernel modules are currently installed.
  2. run dnf remove kmod-nvidia-N.N.NN* while replacing the N.N.NN with the currently running kernel version. For me that is the 6.3.11 kernel.
  3. run sudo akmods --force to rebuild and reinstall the kmod-nvidia-* package previously removed.
  4. After step 3 completes wait a minute or two to ensure the signed modules are properly installed then reboot. The modules should now load with secure boot enabled.

All the time I was using akmod-nvidia and not kmod(because rpmfusion told me to), is this signature supposed to sign kmod-nvidia packages?

The akmod-nvidia package triggers use of akmods to build the kmod-nvidia package to match the kernel. The kmod package is the actual drivers which, when it is automatically installed by akmods, will contain the drivers which have been signed using the key created by the kmodgenca command.

All the signing is done automatically during the compile once that key is created.

If you run the command dnf list installed '*nvidia*' it should return a list of all installed packages that contain nvidia in the name. Looking at that list one should note that the kmod-nvidia-… packages are all shown with the repo name being @@commandline. This shows they were locally built and installed.

I got it working now with the steps you provided. Additionally, I rebooted the system once after running sudo akmods --force and I checked the signature with modinfo nvidia and some details of public_key.der to see if there’s a match, and there was a match. After making sure the drivers are now signed with the key generated by akmods I enrolled them and enabled secure boot.

I made sure that my nvidia drivers and Secure Boot is working together with these commands.

$ mokutil --list-enrolled
// Details of the enrolled keys, I check if my key is here.
$ mokutil --sb-state
SecureBoot enabled
$ lspci -k | grep -A 2 -E "(VGA|3D)"
0a:00.0 VGA compatible controller: NVIDIA Corporation *GPU INFO HERE*
	Subsystem: *GPU INFO HERE*
	Kernel driver in use: nvidia

All the outputs are pointing both Secure Boot and nvidia drivers are operating right now. Thanks for helps.

You missed the simplest test.

Following the use of mokutil --sb-state which showed that secure boot was enabled, a simple lsmod | grep nvidia should have shown several lines with the nvidia modules displayed. That confirms that the modules are signed and properly loaded with secure boot enabled.

1 Like