<![CDATA[Dev1 Galaxy Forum / [SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?id=7286 Sat, 19 Jul 2025 18:21:34 +0000 FluxBB <![CDATA[Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=56778#p56778 Although solved i still cant understand why on earth secureBOOT is needed if i add a gpu driver in my kernel. Wouldnt be enough to sign a module with a sysadm priv key in a kernel's keyring?

>  (7) To maintain secure boot mode, the kernel modules must be signed and the
>      kernel must check the signature on them.  The key must be compiled into
>      the kernel or the bootloader or must reside in the UEFI database.

Wait right here.  This is NOT mandated by UEFI, nor by anyone else.  It
might be a nice thing that some people and companies want to implement,
but please don't think that some external entity is requiring that Linux
implement this, that is not true.

@kernel email list / Re: [GIT PULL] Load keys from signed PE binaries (2013)

@ Linus vs Matthew Garrett on secureboot . (2019)

]]> Sat, 19 Jul 2025 18:21:34 +0000 https://dev1galaxy.org/viewtopic.php?pid=56778#p56778 <![CDATA[Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=56683#p56683 @g4stra thanks . That worked.

$ sudo dpkg -l | grep nvidia
..
ii  nvidia-persistenced 
..
]]> Sat, 12 Jul 2025 21:06:56 +0000 https://dev1galaxy.org/viewtopic.php?pid=56683#p56683 <![CDATA[Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=56678#p56678 The last time i looked...

Errors were encountered while processing:
nvidia-persistenced

This error was caused by the dep package script failing to start (not stopping first) an already running daemon.
Just manually stop 'nvidia-persistenced' and then 'apt -f install' to let the script start 'nvidia-persistenced' itself and complete.

]]> Sat, 12 Jul 2025 17:38:37 +0000 https://dev1galaxy.org/viewtopic.php?pid=56678#p56678 <![CDATA[Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=56677#p56677 shim source deb packages has an issue #990311 that although is reported again an older version of shim it's related to nvidia gpu driver.

The timing issue is the reverse of what i say. I have trouble using mokutil of the shim and not enrolling the keys from inside the uefi setup utility.

]]> Sat, 12 Jul 2025 15:52:40 +0000 https://dev1galaxy.org/viewtopic.php?pid=56677#p56677 <![CDATA[Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=56660#p56660 looks like there might be timing issues with _some_ distros

quoting from:

https://benleskey.com/blog/opensuse#nvidia

snippet:

The biggest problem with the NVIDIA drivers is updating them. With UEFI secure boot enabled, each time the drivers were upgraded I had to enroll their keys at boot time. If I missed the 10 second window (and you only get one chance, even after rebooting), the graphical environment couldn't come up and I had to recover manually by running sudo mokutil --import /usr/share/nvidia-pubkeys/whatever-nvidia-pubkey.der from the recovery environment. You can also disable kernel module verification by running sudo mokutil --disable-validation. This will ask you to set up a small password and then disable the verification at next boot time (assuming you can remember the small password you set up).

]]> Sat, 12 Jul 2025 05:44:04 +0000 https://dev1galaxy.org/viewtopic.php?pid=56660#p56660 <![CDATA[Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=56655#p56655 In my rinit system I tried by 

# runscvchdir single

and then :

# cd /var/lib/dkms
# mokutil --import mok.pub 
Failed to enroll new keys
]]> Fri, 11 Jul 2025 20:57:54 +0000 https://dev1galaxy.org/viewtopic.php?pid=56655#p56655 <![CDATA[Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=56651#p56651 did you try it in single-user?(just a casual guess)

]]> Fri, 11 Jul 2025 14:17:04 +0000 https://dev1galaxy.org/viewtopic.php?pid=56651#p56651 <![CDATA[Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=56649#p56649 [SOLVED] by enroll-ing the nvidia pub key from inside the bios.
         

  • 1. we move  nvidia-modsign-crt-89A7BE16.der in /boot/efi/EFI/debian

  • 2. we start uefi setup

  • 3. advanced / menus / boot / secure boot / keymanagement / append default db

But i still havent figured why  sudo mokutil --import nvidia-pubkey.der  didnt work neither the error with the persistent nvidia daemon.

]]> Fri, 11 Jul 2025 12:31:48 +0000 https://dev1galaxy.org/viewtopic.php?pid=56649#p56649 <![CDATA[[SOLVED] Help with signing nvidia's driver with secure boot enabled]]> https://dev1galaxy.org/viewtopic.php?pid=56571#p56571 Release: Daedalus 5 (debian bookwarm 12)

@ devuan wiki / nvidia gpus

@Debian Secure Boot: To be, or not to be, that is the question!  . Nov 29, 2024  by Anna. A detailed view on signing nvidia drivers in bookwarm.

@ debian wiki / NvidiaGraphicsDrivers.

@ deb / nvidia-driver / bugs

related workflows : Display current status of gpu accelaration. If nvidia-driver is not installed Daedalus rollbacks in using software rasterizer . Lower analysis and in order of ten more slow.

Current understanding : deb package nvidia-kernel will try to build the driver and sign it. But with secure boot enabled those keys created during that process must be 'rolled'. A process that i understand to mean that those keys must get known by the UEFI in order to allow during boot the nvidia driver to load. That process doesnt proceed in Daedalus.

$ mokutil --sb-state
SecureBoot enabled

$ sudo apt install nvidia-driver firmware-misc-nonfree

$ ls /var/lib/dkms/
mok.key  mok.pub

$ sudo mokutil --import /var/lib/dkms/mok.pub 
[sudo] password for chomwitt: 
input password: 
input password again: 
Failed to enroll new keys

A related issue during nvidia-driver installation :

$ sudo apt install nvidia-driver firmware-misc-nonfree
 Processing triggers for initramfs-tools (0.142+deb12u3) ...
update-initramfs: Generating /boot/initrd.img-6.1.0-33-amd64
Errors were encountered while processing:
 nvidia-persistenced
E: Sub-process /usr/bin/dpkg returned an error code (1)
...

$ dpkg -l nvidia-persistenced 
iF  nvidia-persistenced 535.171.04-1~deb12u1 amd64        daemon to maintain persistent software state in the NVIDIA driver

/var/log/syslog during nvidia-driver installation:

2025-07-07T15:17:03.921569+03:00 enousold nvidia-persistenced: Started (10510)
2025-07-07T15:17:03.921732+03:00 enousold nvidia-persistenced: Failed to open libnvidia-cfg.so.1: libnvidia-cfg.so.1: cannot open shared object file: No such file or directory
2025-07-07T15:17:03.921749+03:00 enousold nvidia-persistenced: Shutdown (10510)

But libnvidia-cfg1 is pulled by nvidia-driver and contains 

/usr/lib/x86_64-linux-gnu/nvidia/current/libnvidia-cfg.so.535.247.01
/usr/lib/x86_64-linux-gnu/nvidia/current/libnvidia-cfg.so.1

I found a 2017 bug report on fedora that includes a strace session that resembles mine.

I found also a test for whether efivars are writeable:
# echo -n "test" > test.data
# efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest

]]> Mon, 07 Jul 2025 09:18:34 +0000 https://dev1galaxy.org/viewtopic.php?pid=56571#p56571