Install Nvidia Drivers in Fedora with Secure Boot Enabled

/ insidentally | 无妄当自持

Original link: https://www.inidentally.com/articles/000034/

Now the new factory computer UEFI will enable Secure Boot by default. The function of Secure Boot is to prevent malware from intruding. When the computer bootloader is modified by a virus, it will give a reminder and refuse to start to avoid possible further losses. However, it will also prevent some unsigned Linux kernels from starting to run. Although you can directly choose to turn off secure boot in the motherboard settings to solve a series of troubles, you can see in the Windows 11 minimum hardware standards announced by Microsoft recently that secure boot is getting more and more important by Microsoft. If your computer is a Windows + Linux dual system, it is best to let Linux itself support secure boot.

Fedora, one of the most useful distributions, is more keen on open source drivers, which itself supports secure boot, but when you install official NVIDIA drivers through rpmfusion, the kernel modules of these drivers will be unsigned. During the Linux boot process, because of the signature verification of secure boot, these modules will be prevented from loading, and the graphics card cannot be driven normally. Friends who have used Ubuntu should know that when secure boot is enabled, the Ubuntu installer will automatically sign the NVIDIA driver kernel module with a self-signed key, and automatically import the self-signed key into the MOK List (secure boot machine owner trust key list) during the boot process. However, Fedora only guarantees that its own kernel signature is valid, and ignores the third-party kernel module signature in rpmfusion, resulting in the failure to load the NVIDIA driver normally.

This article explains how to automatically sign Nvidia kernel modules in Fedora

Preparation

Prior to Fedora 36, ​​it was a bit difficult to automatically sign kernel modules like Ubuntu did. But starting with this version, you can do it in just a few simple steps.

Before we start, let’s make sure some prerequisites are met:

  1. Secure Boot is enabled;
  2. The NVidia driver has not been installed ( very critical , if you have installed the proprietary Nvidia driver, you may need to reinstall the system);
  3. And Fedora 36 and above installed.

This guide mainly refers to the following materials:

  1. Official Nvidia documentation for rpmfusion
  2. The official secure boot documentation for rpmfusion
  3. Andrei Nevedomskii’s blog tutorial

Friends who are not satisfied with this article can read the above information for further in-depth research.

Specific steps

1. Install the tools required for automatic signing

 1
 
 sudo dnf install kmodtool akmods mokutil openssl

2. Generate a signing key

 1
 
 sudo kmodgenca -a

3. Start key registration

This will make the Linux kernel trust drivers signed with your key

sudo mokutil --import /etc/pki/akmods/certs/public_key.der

You will be asked to enter a password. Please remember this password, you will need to use it again in the fifth step.

4. Reboot to register the key

 1
 
 sudo reboot

5. Registration key

After restarting, you will see the blue MOK manager interface, don’t panic, follow the steps below to register the key.

If you have ever installed nVidia drivers in Ubuntu with Secure Boot enabled, you may have seen this screen.

  1. First select “Enroll MOK” to register MOK.
  2. Then select “Continue”.
  3. Click “Yes” and enter the password in step 3 and press Enter ( the password will not be displayed in the input box, just enter the password and press Enter ).
  4. Then select “reboot” and the device will reboot again.

6. Install Nvidia drivers

Now just install the Nvidia drivers normally.

 1
 
 sudo dnf install gcc kernel-headers kernel-devel akmod-nvidia xorg- x 11 -drv-nvidia xorg -x 11 -drv-nvidia-libs

7. Make sure the kernel module is compiled

 1
 
 sudo akmods --force

8. Make sure the boot images are also updated

 1
 
 sudo dracut --force

9. Restart the device

 1
 
 sudo reboot

Confirm success

After the restart is complete, enter the following command to confirm whether the driver is loaded:

 1
 
 lsmod | grep -i nvidia

If you get output similar to the following, congratulations, you’re good to go, and you’re all set!

 1
 2
 3
 4
 5
 6
 7
 
 $ lsmod | grep -i nvidia

 nvidia_drm 94208 2
 nvidia_modeset 1560576 2 nvidia_drm
 nvidia_uvm 3493888 0
 nvidia 62517248 118 nvidia_uvm, nvidia_modeset
 video 73728 3 asus_wmi,i915,nvidia_modeset

Now you can happily use your Nvidia graphics card with Secure Boot enabled.

Hope this article can help you.

This article is reproduced from: https://www.inidentally.com/articles/000034/
This site is only for collection, and the copyright belongs to the original author.