How to sign Nvidia proprietary drivers to secure boot Fedora Silverblue/Kinoite/Workstation 35
The guide below was written for Fedora 35, and even though it still works, most of it isn’t required any longer. For Silverblue/Kinoite 36+, check out build-kmod-nvidia-signed-rpm on how to automally sign the kernel modules. For Workstation 36+, check out the official Wiki page on Secure Boot.
On Fedora 35, it is still required to manually sign the proprietary Nvidia drivers in order to successfully start Fedora with Secure Boot enabled — otherwise, its modules will fail to load and fallback nouveau will be used.
Although more than one method exist to do it automatically, none I tried worked for me and I had to resort to do it by hand (thanks, Laurent!), so I decided to write a quick guide for those that might be in the same scenario.
Create a new Machine Owner Key (MOK)
In order to do that, first generate a new X.509 key pair using openssl (if it isn’t already installed in your system, make sure to get it with dnf/yum):
openssl req -new -nodes -x509 \
-days 36500 \
-newkey rsa:2048 \
-keyout key.priv \
-outform DER \
-out key.derFor Fedora versions 36 and higher, just run kmodgenca instead in order to generate a new MOK certificate to /etc/pki/akmods/certs/public_key.der.
Enroll your new Machine Owner Key (MOK)
Afterwards, enroll your new key onto Secure Boot’s key database and reboot:
sudo mokutil --import key.derA password will be requested which will be used solely once after rebooting — do make sure to store your newly created key files in order to sign the modules again on the occasion of a new driver version or kernel update.
Install Nvidia proprietary drivers
The Nvidia drivers in Fedora are available in the rpmfusion repositories — which, if you haven’t already, can be enabled from the Software Center (for Nvidia drivers only) or by downloading and installing the official packages:
sudo dnf install \
https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm &&
sudo dnf group update coreFor CentOS and Red Hat Linux, check out the Wiki for additional steps.
The package candidate name on Fedora is akmod-nvidia, while CentOS and RHEL users may use kmod-nvidia instead. Make sure to install matching drivers for your hardware (e.g. the latest version for any GTX/RTX card):
sudo dnf install akmod-nvidia # kmod-nvidia for CentOS/RHEL
# sudo dnf install akmod-nvidia-470xx # GeForce 600/700 series
# sudo dnf install akmod-nvidia-390xx # GeForce 400/500 series
# sudo dnf install akmod-nvidia-340xx # GeFore 8/9/200/300 seriesMore details on supported cards and drivers is also available on the Wiki.
Prerequisites for Silverblue/Kinoite only
If you are on Silverblue, first mount the /usr directory as read+write with:
sudo ostree admin unlock --hotfixYou may want to add the following kernel parameters to enable modeset and block Nouveau (it’ll still be used as fallback if the Nvidia modules fail to load):
rpm-ostree kargs --append nvidia-drm.modeset=1 \
--append modprobe.blacklist=nouveau \
--append rd.driver.blacklist=nouveauSign the kernel modules
Now, let’s finally sign the modules — make sure the kernel-devel package is installed on your system in order to run the command below for your kernel:
ls -1 /usr/lib/modules/$(uname -r)/extra/nvidia/* |
while read module; do
echo $module
cp $module .
unxz -f $(basename $module)
/usr/src/kernels/$(uname -r)/scripts/sign-file \
sha256 \
/etc/pki/akmods/private/private_key.priv \
/etc/pki/akmods/certs/public_key.der \
./$(basename ${module:0:-3})
xz -f $(basename ${module:0:-3})
mv -f $(basename $module) $module
doneNote: Whenever a new Nvidia driver or kernel version is installed (or rpm-ostree creates a new deployment, in case of Silverblue), rerun the above command to sign the new module files after rebooting the OS. For Silverblue, you might also want to pin your deployment in order to rollback just in case.
Happy secure booting! ❤
