Comprehensive Guide: Fedora, NVIDIA Drivers, and Secure Boot Signing

Running #Fedora #Linux on a machine with an #NVIDIA graphics card is common, but keeping Secure Boot enabled while using the proprietary NVIDIA #drivers requires some extra steps. Secure Boot is a valuable security feature that helps protect your system from malware infecting the boot process. Disabling it is an option, but you lose that protection.

This guide provides a comprehensive walkthrough on how to install the official NVIDIA drivers on Fedora Linux while keeping Secure Boot active by generating a Machine Owner Key (MOK), enrolling it, and ensuring your NVIDIA kernel modules are correctly signed. We will primarily use akmods, Fedora's standard tool for managing third-party kernel modules like NVIDIA's, which automates the signing process after the initial setup.

Disclaimer: Follow these steps carefully. Incorrect configuration could potentially lead to boot issues. Crucially, securing the private key generated in this process is vital for maintaining your system's security.

Reference Documents:

• RPM Fusion Tutorial

• RPM Fusion Reference Documents

Prerequisites: Before You Begin

1. Enable RPM Fusion Repositories: The standard NVIDIA drivers for Fedora are distributed through the RPM Fusion repositories. Enable them if you haven't already:

   
   

sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \ https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm

2. Update Your System: Ensure your system is fully up-to-date:

   
   

sudo dnf upgrade --refresh

Then reboot. Why? This ensures you are actually running the newest kernel you just downloaded. Never install drivers on a "pending update" system. Most black screens happen because you are running Kernel A, but you install drivers for Kernel B.

3. Install Essential Tools: You'll need mokutil for handling MOK keys. Other tools like openssl should typically be present. Necessary kernel headers (kernel-devel, kernel-headers) are usually pulled in automatically when you install akmod-nvidia, but they are essential for module building.

   
   

sudo dnf install mokutil openssl kernel-devel kernel-headers

Understanding the Process: MOK and akmods

• Secure Boot: Works by ensuring that only trusted software (signed with recognized keys) is loaded during boot. Initially, this includes your UEFI firmware, the Fedora bootloader (shim), and the Fedora kernel.

  
  

• NVIDIA Driver: The proprietary NVIDIA driver includes kernel modules that Secure Boot, by default, won't trust because they aren't signed by Microsoft or Fedora.

  
  

• Machine Owner Key (MOK): This is a mechanism allowing you (the machine owner) to add your own keys to the Secure Boot trust database. By generating your own key pair and enrolling the public key as a MOK, you can sign the NVIDIA modules, extending Secure Boot's trust to include them.

  
  

• akmods: This Fedora service automatically rebuilds third-party kernel modules (like NVIDIA's) whenever a new kernel is installed. Crucially, if a MOK is enrolled and the keys are accessible, akmods will also automatically sign these newly built modules for you.

Step 1: Generate Your Signing Key Pair

We need a private key (to sign modules) and a public key (to enroll with Secure Boot).

# Create a directory to store the keys (optional, but keeps things organized)
# Using /root/ ensures normal users cannot access the private key easily

sudo mkdir /root/mok-keys
cd /root/mok-keys

# Generate the key pair (adjust validity days as needed)

sudo openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 3650 -subj "/CN=My NVIDIA Driver Signing Key/"

• MOK.priv: This is your private key. Keep it secret, keep it safe!

• MOK.der: This is your public key certificate (in DER format for enrollment).

!! CRITICAL SECURITY WARNING !!

Your MOK.priv private key file is extremely sensitive. Anyone who obtains this key can sign any kernel module, and your system's Secure Boot will trust it. This could allow kernel-level malware to bypass Secure Boot protection entirely on this specific machine.

• Protect It: Ensure it has strict permissions. The command above places it in /root/mok-keys/, which is generally protected.

  
  

# Verify with: 

sudo ls -l /root/mok-keys/MOK.priv 

# and ensure only root can read it (permissions -r-------- or 400 are ideal) 

sudo chmod 400 /root/mok-keys/MOK.priv

• Do Not Share: Never share this private key or store it in insecure locations like your regular home directory without strong encryption.

  
  

• Backup Securely: Consider a secure, offline backup if you manage many systems or consider this key critical.

  
  

(Alternative Location Note: akmods often looks for keys in /etc/pki/akmods/private/ and /etc/pki/akmods/certs/. Placing your keys there, potentially named akmods-private.key and akmods.crt, might simplify automatic detection by akmods. However, the /root/ location works if secured properly.)

Step 2: Enroll the Public Key (MOK)

Now, tell Secure Boot to trust modules signed with your key by enrolling the public part.

# Import the public key into the MOK enrollment list

sudo mokutil --import /root/mok-keys/MOK.der

# !! IMPORTANT !! You will be prompted to create a temporary password.
# Choose a password you will remember for the next reboot (8-16 characters recommended).
# You only need this password ONCE during the enrollment confirmation step on reboot.

Step 3: Reboot and Complete MOK Enrollment

This step happens during the reboot process, before Fedora fully loads.

1. Reboot your computer: sudo systemctl reboot

   
   

2. MOKManager Screen: Shortly after the manufacturer's logo, a blue screen titled "Perform MOK management" (or similar) will appear. It often has a short timeout, so be ready to press a key. If you miss it, reboot and try again.

   
   

3. Select "Enroll MOK": Use the arrow keys to navigate and Enter to select.

   
   

4. Select "View key 0": This lets you confirm the details of the key you are about to enroll. Check that it matches the key you generated.

   
   

5. Select "Continue": After viewing the key.

   
   

6. Enroll the key(s)?: It will ask for confirmation. Select "Yes".

   
   

7. Enter Password: CRITICAL STEP! You must now enter the exact password you created with the mokutil --import command earlier. The input might not show asterisks, so type carefully.

   
   

8. Select "OK".

   
   

9. Select "Reboot": The system will now reboot again, this time with the MOK enrolled.

   
   
   
   

Step 4: Install NVIDIA Drivers Using akmods

Now that Secure Boot trusts your key, install the NVIDIA drivers. akmods will build the module for your current kernel.

# Install the main driver package and optionally the CUDA toolkit support

sudo dnf install akmod-nvidia xorg-x11-drv-nvidia-cuda nvidia-gpu-firmware 

# CUDA package is optional but is necessary for gpu accelerated apps and compute

'akmods' should start building the module. This can take a few minutes and happens in the background. You must let this complete. If it doesn't you will get a back screen on reboot. You can monitor its progress roughly using `journalctl -f` or just wait.

To ensure everything was built correctly enter:

sudo akmods --force --rebuild

Make sure this command completes with an '[OK]' otherwise it failed.

Then:

sudo dracut --force

After the installation finishes, akmods should automatically use your enrolled MOK key (which kmodgenca or other tools might have copied to /etc/pki/akmods/certs/) or locate your key to sign the newly built NVIDIA modules (nvidia.ko, nvidia-modeset.ko, etc.).

Step 5: Verify Installation and Signing

Reboot one more time to load the newly installed and signed NVIDIA drivers.

sudo systemctl reboot

After logging in:

1. Check if driver is loaded:

   
   

lsmod | grep nvidia

# You should see lines containing nvidia, nvidia_modeset, nvidia_uvm, etc.

2. Check if modules are signed: Pick one of the modules (e.g., nvidia.ko) and check its signature. The exact path might vary slightly, find it first:

modinfo nvidia | grep signer

If it says signer: your_name: You are 100% safe to use Secure Boot. And try the following to be sure:

sudo find /usr/lib/modules/$(uname -r)/ -name nvidia.ko

# Common location is /usr/lib/modules/$(uname -r)/extra/nvidia/nvidia.ko
# Example path - adjust if needed: 

sudo kmodsign info /usr/lib/modules/$(uname -r)/extra/nvidia/nvidia.ko

# The output should include information about the signer, hopefully matching the details of the MOK you generated (e.g., "/CN=My NVIDIA Driver Signing Key/"). If it shows "Signature: Key expired" or "unsigned," something went wrong.

Still Seeing Black? Fix Nvidia & LUKS Encryption on Fedora

If you’ve followed every tutorial, signed your drivers for Secure Boot, and added every GRUB flag known to man, but you’re still staring at a black screen while your disk waits for a password you can't see—you aren't alone. This is a common "final boss" for high-end cards like the RTX 3090 Ti paired with ultrawide monitors and LUKS encryption.

The problem is a "handover" failure: the kernel needs to show you the password prompt before it mounts your drive, but it doesn't have the Nvidia drivers loaded yet. Here is the definitive "Nuclear Option" that finally fixed it for me.

The Problem: The "Missing" Module

Even if your Nvidia drivers are installed, Fedora's dracut (the tool that builds your boot image) often ignores them because they live in a non-standard /extra/ directory. If the drivers aren't in the initramfs, your monitor won't wake up in time for the encryption prompt.

The Solution: Force the Handover

1. Create a Persistent Dracut Configuration

Don't just run a one-time command; make this fix permanent so kernel updates don't break it. Create a new configuration file: sudo nano /etc/dracut.conf.d/nvidia.conf

Paste the following into the file. This tells dracut to force-inject the drivers and ignore the conflicting open-source nouveau driver:

Plaintext

# Force loading of Nvidia drivers for LUKS prompt
force_drivers+=" nvidia nvidia_modeset nvidia_uvm nvidia_drm "

# Ensure the open-source driver never interferes
omit_drivers+=" nouveau "

# Ensure the display server starts early
install_items+=" /etc/modprobe.d/nvidia.conf "

2. Ensure Modesetting is Triggered

The drivers need to know how to start. Ensure your modprobe config is set: echo "options nvidia-drm modeset=1" | sudo tee /etc/modprobe.d/nvidia.conf

3. Rebuild the Boot Image

Now, trigger the rebuild for your specific kernel (replace $(uname -r) with your actual kernel version if necessary): sudo dracut --force --verbose

4. The "Trust but Verify" Step

Before you reboot, verify that the drivers are actually inside the image. If this returns nothing, do not reboot: lsinitrd /boot/initramfs-$(uname -r).img | grep nvidia.ko

If you see a path ending in extra/nvidia/nvidia.ko, you’ve won.

Or If Nothing Else Works

In most recent Fedora builds of Fedora 43 with kernel 6.17+ this is the only solution that works for me. Unfortunately, for now that means you have to run this every time the kernel gets updated.

Force the manual rebuilding of the image forcing the inclusion of the of the kernel modules by name. Type 'uname -r' to get your current kernel then:

sudo dracut --force --verbose --kver 6.18.7-200.fc43.x86_64 --add-drivers "nvidia nvidia_modeset nvidia_uvm nvidia_drm" -I /etc/modprobe.d/nvidia.conf

You shouldn't get any Nvidia related errors during the build. To test to make sure it worked type:

lsinitrd /boot/initramfs-6.18.7-200.fc43.x86_64.img | grep -E "nvidia.ko|nvidia.conf"

If everything worked you should get an output showing the config and driver is included in the image.

Ongoing Maintenance: Kernel Updates

The beauty of this setup is akmods. When you update your Fedora system and get a new kernel:

1. dnf installs the new kernel.

   
   

2. akmods automatically detects the new kernel and rebuilds the NVIDIA modules for it.

   
   

3. akmods then uses your enrolled MOK private key to sign these new modules automatically.

   
   

You generally don't need to do anything manually for kernel updates after the initial MOK enrollment and driver install!

Manual Signing (For Understanding & Troubleshooting)

You typically should not need to do this if akmods is working correctly. However, it's useful for understanding the process or if akmods fails to sign for some reason.

1. Identify Modules: The core NVIDIA modules are usually nvidia.ko, nvidia-modeset.ko, nvidia-drm.ko, and nvidia-uvm.ko.

   
   

2. Find Location: Locate them under /usr/lib/modules/$(uname -r)/. Often in extra/nvidia/ or similar subdirectories.

   
   

3. Sign: Use the sign-file script with the private key and public certificate you generated in Step 1.

   
   

# Example for nvidia.ko - repeat for other modules, adjust paths as needed 

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha512 \ 
/root/mok-keys/MOK.priv \ /root/mok-keys/MOK.der \ /usr/lib/modules/$(uname -r)/extra/nvidia/nvidia.ko

Troubleshooting Tips

• Black Screen After Boot:

  • When you get to the grub boot menu, highlight the top entry and press 'e'. The remove 'rhgb quiet' and at the end of the same line add 'nomodeset'. This will allow you to boot with graphics to be able to troubleshoot.

    
    

  • Did the MOK enroll correctly? Check: sudo mokutil --list-enrolled (look for your key's subject).

    
    

  • Did akmods build the module for the current kernel? Check lsmod | grep nvidia. If not, try forcing a build: sudo akmods --force. Then reboot.

    
    

  • Are the modules signed correctly? Use sudo kmodsign info /path/to/nvidia.ko. If not, try manual signing.

    
    

  • Check Xorg or Wayland logs for errors (/var/log/Xorg.0.log or journalctl -e COMM=gdm-x-session / journalctl -e COMM=gnome-shell).

    
    

• If you get a black screen try rerunning 'sudo akmods --force' and 'sudo dracut --force' first.

  
  

• Drivers Don't Persist After Kernel Update: This should be handled by akmods. Ensure the akmods service is enabled (sudo systemctl enable akmods.service --now). Check /var/log/akmods/ for build logs. Ensure your private key is secure but accessible by root for signing.

  
  

• MOK Enrollment Failed: Did you enter the correct password during the MOKManager reboot step? If unsure, you might need to reset the MOK list (sudo mokutil --reset, requires reboot and confirmation) and re-import/re-enroll. Be cautious with --reset.

• To Revert to Original Drivers: In your terminal enter: 'sudo dnf remove \*nvidia\* --exclude=nvidia-gpu-firmware' and `sudo grubby --update-kernel=ALL --remove-args='rd.driver.blacklist=nouveau modprobe.blacklist=nouveau nvidia-drm.modeset=1'` to revert nvidia driver boot flags. Then 'sudo dracut --force'.

Alternative: Disabling Secure Boot

You can always disable Secure Boot in your system's UEFI/BIOS settings. This avoids all signing complexity. However, you lose the security benefit of protection against malicious software interfering early in the boot process (bootkits/rootkits). This guide focuses on keeping Secure Boot enabled for better security.

Setting up NVIDIA drivers with Secure Boot on Fedora involves a few careful steps, primarily generating and enrolling your own Machine Owner Key (MOK). Once done, akmods handles the ongoing signing process automatically during kernel updates. By following this guide, you can enjoy NVIDIA's proprietary drivers while maintaining the valuable protection offered by Secure Boot. Remember to always prioritize the security of your generated private key!