Nvidia Linux drivers and Secure Boot // blueish's blog

Update (2023-07-29)

If you are coming across this now and are still looking to install these drivers on a modern install of Fedora, you should read the instructions on the rpmfusion wiki for NVIDIA and Secure Boot. You may want to do a fresh reinstall on each Fedora version upgrade, and you may need to re-import the MOK if you update the UEFI.

Using the nvidia-supplied installer

As I alluded to in the previous post, the set-up for getting the proprietary nVidia drivers was a bit of a PITA. These instructions are both a way of remembering how I did it (if I ever need to do it again) or for any other people struggling with this difficult task. Specs are below:

OS: Fedora 27 Workstation (kernel 4.15.6-300.fc27.x86_64)
Motherboard: AsRock Z170 Fatal1ty mITX
CPU: Intel i5 6400
GPU: nVidia GeForce GTX 1060 6GB

Reasons to use the proprietary drivers

There are a couple of reasons that I have for wanting the proprietary drivers, namely the fan speed idles much slower on them and there is significantly higher performance on nVidia 10-series cards. Also, I’ve experienced stuttering and unresponsiveness from a cold boot on the open-source drivers (my guess is it doesn’t initialise the card correctly, but the time between reboots keeps the card live enough for Linux to use Windows’ initialisation, but that’s just a guess).

How to do it

First point to note is that the UEFI on this motherboard sucks big hairy donkey balls and doesn’t load and UEFI shell or tool like KeyTool and doesn’t have any way of loading your custom keys on to the board through their UEFI interface. Luckily I found a guide for Gentoo that uses the efi-updatevar tool to create and install the required keys here. This should leave you with many files, including db.key and db.crt. db.key is the private key that kernel modules should be signed with, and db.crt is its public counterpart. Combining this with the guide here I tested the signing process on the VirtualBox module. Sure enough, it worked! This meant that I was ready to move on to the graphics drivers. I followed the guide on if-not-true-then-false up to (but not including) step 2.8.2, where I ran the command supplied by nVidia in their documentation.

sh ./NVIDIA-Linux-x86_64-390.25.run -s \
--module-signing-secret-key=/path/to/db.key \
--module-signing-public-key=/path/to/db.crt

Then rejoin the if-not-true-then-false guide at 2.9. This has left me with a system with fully working graphics. As a side-note, on every kernel update you will need to resign or maybe rebuild the kernel driver (I’m not sure how the silent install of the driver configures itself, although it is probably somewhere in the documentation).