[SOLVED] Help with signing nvidia's driver with secure boot enabled

chomwitt · 2025-07-07 09:18:34

Release: Daedalus 5 (debian bookwarm 12)

@ devuan wiki / nvidia gpus

@Debian Secure Boot: To be, or not to be, that is the question! . Nov 29, 2024 by Anna. A detailed view on signing nvidia drivers in bookwarm.

@ debian wiki / NvidiaGraphicsDrivers.

@ deb / nvidia-driver / bugs

related workflows : Display current status of gpu accelaration. If nvidia-driver is not installed Daedalus rollbacks in using software rasterizer . Lower analysis and in order of ten more slow.

Current understanding : deb package nvidia-kernel will try to build the driver and sign it. But with secure boot enabled those keys created during that process must be 'rolled'. A process that i understand to mean that those keys must get known by the UEFI in order to allow during boot the nvidia driver to load. That process doesnt proceed in Daedalus.

$ mokutil --sb-state
SecureBoot enabled

$ sudo apt install nvidia-driver firmware-misc-nonfree

$ ls /var/lib/dkms/
mok.key  mok.pub

$ sudo mokutil --import /var/lib/dkms/mok.pub 
[sudo] password for chomwitt: 
input password: 
input password again: 
Failed to enroll new keys

A related issue during nvidia-driver installation :

$ sudo apt install nvidia-driver firmware-misc-nonfree
 Processing triggers for initramfs-tools (0.142+deb12u3) ...
update-initramfs: Generating /boot/initrd.img-6.1.0-33-amd64
Errors were encountered while processing:
 nvidia-persistenced
E: Sub-process /usr/bin/dpkg returned an error code (1)
...

$ dpkg -l nvidia-persistenced 
iF  nvidia-persistenced 535.171.04-1~deb12u1 amd64        daemon to maintain persistent software state in the NVIDIA driver

/var/log/syslog during nvidia-driver installation:

2025-07-07T15:17:03.921569+03:00 enousold nvidia-persistenced: Started (10510)
2025-07-07T15:17:03.921732+03:00 enousold nvidia-persistenced: Failed to open libnvidia-cfg.so.1: libnvidia-cfg.so.1: cannot open shared object file: No such file or directory
2025-07-07T15:17:03.921749+03:00 enousold nvidia-persistenced: Shutdown (10510)

But libnvidia-cfg1 is pulled by nvidia-driver and contains

/usr/lib/x86_64-linux-gnu/nvidia/current/libnvidia-cfg.so.535.247.01
/usr/lib/x86_64-linux-gnu/nvidia/current/libnvidia-cfg.so.1

I found a 2017 bug report on fedora that includes a strace session that resembles mine.

I found also a test for whether efivars are writeable:
# echo -n "test" > test.data
# efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest

Last edited by chomwitt (2025-07-11 12:30:53)

chomwitt · 2025-07-11 12:31:48

[SOLVED] by enroll-ing the nvidia pub key from inside the bios.

1. we move nvidia-modsign-crt-89A7BE16.der in /boot/efi/EFI/debian
2. we start uefi setup
3. advanced / menus / boot / secure boot / keymanagement / append default db

But i still havent figured why sudo mokutil --import nvidia-pubkey.der didnt work neither the error with the persistent nvidia daemon.

Last edited by chomwitt (2025-07-11 12:38:08)

stargate-sg1-cheyenne-mtn · 2025-07-11 14:17:04

did you try it in single-user?(just a casual guess)

chomwitt · 2025-07-11 20:57:54

In my rinit system I tried by

# runscvchdir single

and then :

# cd /var/lib/dkms
# mokutil --import mok.pub 
Failed to enroll new keys

Last edited by chomwitt (2025-07-11 20:58:10)

stargate-sg1-cheyenne-mtn · 2025-07-12 05:44:04

looks like there might be timing issues with _some_ distros

quoting from:

https://benleskey.com/blog/opensuse#nvidia

snippet:

The biggest problem with the NVIDIA drivers is updating them. With UEFI secure boot enabled, each time the drivers were upgraded I had to enroll their keys at boot time. If I missed the 10 second window (and you only get one chance, even after rebooting), the graphical environment couldn't come up and I had to recover manually by running sudo mokutil --import /usr/share/nvidia-pubkeys/whatever-nvidia-pubkey.der from the recovery environment. You can also disable kernel module verification by running sudo mokutil --disable-validation. This will ask you to set up a small password and then disable the verification at next boot time (assuming you can remember the small password you set up).

chomwitt · 2025-07-12 15:52:40

shim source deb packages has an issue #990311 that although is reported again an older version of shim it's related to nvidia gpu driver.

The timing issue is the reverse of what i say. I have trouble using mokutil of the shim and not enrolling the keys from inside the uefi setup utility.

g4sra · 2025-07-12 17:38:37

The last time i looked...

Errors were encountered while processing:
nvidia-persistenced

This error was caused by the dep package script failing to start (not stopping first) an already running daemon.
Just manually stop 'nvidia-persistenced' and then 'apt -f install' to let the script start 'nvidia-persistenced' itself and complete.

chomwitt · 2025-07-12 21:06:56

@g4stra thanks . That worked.

$ sudo dpkg -l | grep nvidia
..
ii  nvidia-persistenced 
..

The officially official Devuan Forum!

#1 2025-07-07 09:18:34

[SOLVED] Help with signing nvidia's driver with secure boot enabled

#2 2025-07-11 12:31:48

Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled

#3 2025-07-11 14:17:04

Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled

#4 2025-07-11 20:57:54

Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled

#5 2025-07-12 05:44:04

Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled

#6 2025-07-12 15:52:40

Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled

#7 2025-07-12 17:38:37

Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled

#8 2025-07-12 21:06:56

Re: [SOLVED] Help with signing nvidia's driver with secure boot enabled

Board footer