You are not logged in.

Release: Daedalus 5 (debian bookwarm 12)
@ devuan wiki / nvidia gpus
@Debian Secure Boot: To be, or not to be, that is the question! . Nov 29, 2024 by Anna. A detailed view on signing nvidia drivers in bookwarm.
@ debian wiki / NvidiaGraphicsDrivers.
@ deb / nvidia-driver / bugs
related workflows : Display current status of gpu accelaration. If nvidia-driver is not installed Daedalus rollbacks in using software rasterizer . Lower analysis and in order of ten more slow.
Current understanding : deb package nvidia-kernel will try to build the driver and sign it. But with secure boot enabled those keys created during that process must be 'rolled'. A process that i understand to mean that those keys must get known by the UEFI in order to allow during boot the nvidia driver to load. That process doesnt proceed in Daedalus.
$ mokutil --sb-state
SecureBoot enabled
$ sudo apt install nvidia-driver firmware-misc-nonfree
$ ls /var/lib/dkms/
mok.key  mok.pub
$ sudo mokutil --import /var/lib/dkms/mok.pub 
[sudo] password for chomwitt: 
input password: 
input password again: 
Failed to enroll new keysA related issue during nvidia-driver installation :
$ sudo apt install nvidia-driver firmware-misc-nonfree
 Processing triggers for initramfs-tools (0.142+deb12u3) ...
update-initramfs: Generating /boot/initrd.img-6.1.0-33-amd64
Errors were encountered while processing:
 nvidia-persistenced
E: Sub-process /usr/bin/dpkg returned an error code (1)
...
$ dpkg -l nvidia-persistenced 
iF  nvidia-persistenced 535.171.04-1~deb12u1 amd64        daemon to maintain persistent software state in the NVIDIA driver/var/log/syslog during nvidia-driver installation:
2025-07-07T15:17:03.921569+03:00 enousold nvidia-persistenced: Started (10510)
2025-07-07T15:17:03.921732+03:00 enousold nvidia-persistenced: Failed to open libnvidia-cfg.so.1: libnvidia-cfg.so.1: cannot open shared object file: No such file or directory
2025-07-07T15:17:03.921749+03:00 enousold nvidia-persistenced: Shutdown (10510)But libnvidia-cfg1 is pulled by nvidia-driver and contains
/usr/lib/x86_64-linux-gnu/nvidia/current/libnvidia-cfg.so.535.247.01
/usr/lib/x86_64-linux-gnu/nvidia/current/libnvidia-cfg.so.1I found a 2017 bug report on fedora that includes a strace session that resembles mine.
I found also a test for whether efivars are writeable:
# echo -n "test" > test.data
# efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
Last edited by chomwitt (2025-07-11 12:30:53)
Devuan(Chimaera)(Daedalus) DS+WM: XorgX11server+StumpVM
Offline

[SOLVED] by enroll-ing the nvidia pub key from inside the bios.
         
1. we move nvidia-modsign-crt-89A7BE16.der in /boot/efi/EFI/debian
2. we start uefi setup
3. advanced / menus / boot / secure boot / keymanagement / append default db
But i still havent figured why sudo mokutil --import nvidia-pubkey.der didnt work neither the error with the persistent nvidia daemon.
Last edited by chomwitt (2025-07-11 12:38:08)
Devuan(Chimaera)(Daedalus) DS+WM: XorgX11server+StumpVM
Offline
did you try it in single-user?(just a casual guess)
Be Excellent to each other and Party On!
 https://www.youtube.com/watch?v=rph_1DODXDU
 https://en.wikipedia.org/wiki/Bill_%26_Ted%27s_Excellent_Adventure
Do unto others as you would have them do instantaneously back to you!
Offline

In my rinit system I tried by
# runscvchdir single and then :
# cd /var/lib/dkms
# mokutil --import mok.pub 
Failed to enroll new keysLast edited by chomwitt (2025-07-11 20:58:10)
Devuan(Chimaera)(Daedalus) DS+WM: XorgX11server+StumpVM
Offline
looks like there might be timing issues with _some_ distros
quoting from:
https://benleskey.com/blog/opensuse#nvidia
snippet:
The biggest problem with the NVIDIA drivers is updating them. With UEFI secure boot enabled, each time the drivers were upgraded I had to enroll their keys at boot time. If I missed the 10 second window (and you only get one chance, even after rebooting), the graphical environment couldn't come up and I had to recover manually by running sudo mokutil --import /usr/share/nvidia-pubkeys/whatever-nvidia-pubkey.der from the recovery environment. You can also disable kernel module verification by running sudo mokutil --disable-validation. This will ask you to set up a small password and then disable the verification at next boot time (assuming you can remember the small password you set up).
Be Excellent to each other and Party On!
 https://www.youtube.com/watch?v=rph_1DODXDU
 https://en.wikipedia.org/wiki/Bill_%26_Ted%27s_Excellent_Adventure
Do unto others as you would have them do instantaneously back to you!
Offline

shim source deb packages has an issue #990311 that although is reported again an older version of shim it's related to nvidia gpu driver.
The timing issue is the reverse of what i say. I have trouble using mokutil of the shim and not enrolling the keys from inside the uefi setup utility.
Devuan(Chimaera)(Daedalus) DS+WM: XorgX11server+StumpVM
Offline
The last time i looked...
Errors were encountered while processing:
 nvidia-persistenced
This error was caused by the dep package script failing to start (not stopping first) an already running daemon.
Just manually stop 'nvidia-persistenced' and then 'apt -f install' to let the script start 'nvidia-persistenced' itself and complete.
Offline

@g4stra thanks . That worked.
$ sudo dpkg -l | grep nvidia
..
ii  nvidia-persistenced 
..Devuan(Chimaera)(Daedalus) DS+WM: XorgX11server+StumpVM
Offline

Although solved i still cant understand why on earth secureBOOT is needed if i add a gpu driver in my kernel. Wouldnt be enough to sign a module with a sysadm priv key in a kernel's keyring?
> (7) To maintain secure boot mode, the kernel modules must be signed and the
> kernel must check the signature on them. The key must be compiled into
> the kernel or the bootloader or must reside in the UEFI database.Wait right here. This is NOT mandated by UEFI, nor by anyone else. It
might be a nice thing that some people and companies want to implement,
but please don't think that some external entity is requiring that Linux
implement this, that is not true.
@kernel email list / Re: [GIT PULL] Load keys from signed PE binaries (2013)
@ Linus vs Matthew Garrett on secureboot . (2019)
Last edited by chomwitt (2025-07-20 18:09:09)
Devuan(Chimaera)(Daedalus) DS+WM: XorgX11server+StumpVM
Offline