If you’ve migrated to Fedora from Ubuntu and you have Secure Boot enabled, you might have noticed a significant difference between the 2 distros: Fedora doesn’t automatically sign NVidia kernel module like Ubuntu does. This article is to help you make Fedora as comfortable to use as Ubuntu is in that regard.

Before we start, let’s make sure some preconditions are met:

you should already have Secure Boot enabled;
you don’t have NVidia driver installed yet;
and you should have Fedora installed. 😉

This guide was tested with Fedora 34 and 35, and probably works with older versions.

❗IMPORTANT: Fedora 36 now has official support for module auto signing. If you’re doing a fresh install of Fedora 36, make sure to follow this guide instead.

Time needed: 10 minutes

Here’s how to automatically sign NVidia kernel module in Fedora 35 and earlier

Install mokutil and openssl
sudo dnf install mokutil openssl
Generate a signing key
sudo openssl req -new -x509 -newkey rsa:2048 -keyout ~/driver-signing.key -outform DER -out ~/driver-signing.der -nodes -days 36500 -subj "/CN=Private Driver Signing"
Initiate the key enrollment
This will make Linux kernel trust drivers signed with your key
sudo mokutil --import ~/driver-signing.der
You will be asked to enter a password, it doesn’t have to be very strong, just make sure to remember it. You’ll only need it once during step 5.
Reboot to enroll the key
sudo reboot
Enroll the key
After reboot you will see MOK Manager interface and will be asked to enroll the key. Probably if you ever installed nVidia drivers in Ubuntu with Secure boot enabled, you’ve seen this interface before.
First select “Enroll MOK“.
Then “Continue“.
Hit “Yes” and enter the password from step 3.
Then select “OK” and your device will reboot again.
Enable 2 COPRs
We’re gonna need modified versions of tools used to compile kernel modules from those repositories.
Thanks to Elia Geretto for the repositories.
sudo dnf copr enable egeretto/kmodtool-secureboot sudo dnf copr enable egeretto/akmods-secureboot
sudo dnf update --refresh
Install the modified versions of kmodtool and akmods
sudo dnf install kmodtool akmods
Move the public and private parts of the key to the akmods dir and set secure permissions
sudo mv ~/driver-signing.der /etc/pki/akmods/certs/public_key.der sudo chown root:akmods /etc/pki/akmods/certs/public_key.der sudo chmod 640 /etc/pki/akmods/certs/public_key.der sudo mv ~/driver-signing.key /etc/pki/akmods/private/private_key.priv sudo chown root:akmods /etc/pki/akmods/private/private_key.priv sudo chmod 640 /etc/pki/akmods/private/private_key.priv
Install NVidia driver
Now just install NVidia driver like you would typically do.
sudo dnf install gcc kernel-headers kernel-devel akmod-nvidia xorg-x11-drv-nvidia xorg-x11-drv-nvidia-libs xorg-x11-drv-nvidia-libs.i686
Make sure the kernel modules got compiled
sudo akmods --force
Make sure the boot image got updated as well
sudo dracut --force
Reboot your device
sudo reboot

Now that you’re done, make sure to verify the driver got loaded after reboot:

$> lsmod | grep -i nvidia

nvidia_drm             73728  1
nvidia_modeset       1150976  2 nvidia_drm
nvidia              36954112  129 nvidia_modeset
drm_kms_helper        311296  2 nvidia_drm,i915
drm                   630784  28 drm_kms_helper,nvidia,nvidia_drm,i915,ttm
Code language: Gradle (gradle)

if you have output similar to the one above, then everything went smoothly and you’re all set!

I hope this was helpful.

Happy hacking!

Upgrade to Fedora 36:

If you’re installing Fedora 36 from scratch, please, make sure to follow this guide instead.

If you have just upgraded to Fedora 36 and noticed the driver doesn’t load anymore, do the following steps:

First remove the kernel module(s) that got compiled, but not signed:
sudo dnf remove $(dnf list --installed | grep -e "^kmod-nvidia.*\.fc36." | awk '{print $1}')
Remove the old certificates, you don’t need them anymore:
sudo rm -f /etc/pki/akmods/certs/public_key.der sudo rm -f /etc/pki/akmods/private/private_key.priv
Remove the COPRs, you don’t need them anymore as well:
sudo dnf copr remove egeretto/kmodtool-secureboot sudo dnf copr remove egeretto/akmods-secureboot
Now let’s generate a new certificate pair using the official tool:
sudo kmodgenca -a
Then import the certificate:
sudo mokutil --import /etc/pki/akmods/certs/public_key.der
Reinstall nvidia kernel module:
sudo dnf reinstall akmod-nvidia
Regenerate and sign NVidia kernel module:
sudo akmods --force
Reboot and follow the step #5 of the guide above (Enroll the key).

After reboot you should see the module loaded again.

Like it? Share it!

18 thoughts on “Automatically sign NVidia Kernel module in Fedora 35”

Kevin
May 16, 2022, 15:32
thanks sir , it works. but my touchpad gesture not work, what should i do now?
Reply
- Andrei Nevedomskii Post author
  May 16, 2022, 15:56
  I suppose you’ve logged in using X11 session, right?
  You can use this GNOME extension: https://extensions.gnome.org/extension/4033/x11-gestures/ (it requires installation of a companion app, the guide is available here: https://github.com/JoseExposito/touchegg#fedora-centos-rhel-and-derivatives )
  But tbh, I’d recommend using Wayland instead (if you can). Your GPU should work fine under Wayland.
  Reply
  - kevin
    May 17, 2022, 09:58
    if there is a kernel update what to do?
    just type only akmod –force? or then type dracut –force?
    i want to setup X Screen 0 on nvidia-setting, what should we do?
    i follow then i have /etc/X11/xorg.conf.d/nvidia.conf like this,
    Section “OutputClass”
    Identifier “nvidia”
    MatchDriver “nvidia-drm”
    Driver “nvidia”
    Option “AllowEmptyInitialConfiguration”
    Option “SLI” “Auto”
    Option “BaseMosaic” “on”
    EndSection
    Section “ServerLayout”
    Identifier “layout”
    Option “AllowNVIDIAGPUScreens”
    EndSection
    and last question sir,
    i type nvidia-settings and return this, what the meaning?
    (nvidia-settings:19237): GLib-GObject-CRITICAL **: 14:45:14.684: g_object_unr>
    sorry sir, I’m confused about setting the Nvidia driver properly
    Reply
    - Andrei Nevedomskii Post author
      May 17, 2022, 10:16
      > if there is a kernel update what to do?
      That’s the cool thing – you don’t have to do anything manually! akmods will be called after an update in background or when you reboot your computer.
      But yeah, in case you want to make sure the module got generated, you can run sudo akmods --force .
      > i want to setup X Screen 0 on nvidia-setting, what should we do?
      What exactly are you trying to achieve? If you want to make Nvidia your primary GPU, here’s a guide for that: https://docs.fedoraproject.org/en-US/quick-docs/how-to-set-nvidia-as-primary-gpu-on-optimus-based-laptops/#_step_8_edit_the_x11_configuration
      > i type nvidia-settings and return this, what the meaning?
      Not sure tbh. Ask Fedora might be a better place to ask this: https://ask.fedoraproject.org/
      Or maybe you can ask on reddit: https://www.reddit.com/r/Fedora/
      Reply
      - kevin
        May 17, 2022, 19:19
        no sir, i dont want my nvidia for primary ,
        like this sir,
        https://drive.google.com/file/d/1gqxeGsd5lTzgm6HgmfLk02ikwRWTKtGB/view?usp=sharing
        i want to Bring up X Screen 0 and X Server Display Configuration from nvidia-settings because they don’t appear
        so that’s what I mean, sir
        Sorry sir, the question was cut off
        (nvidia-settings:13321): GLib-GObject-CRITICAL **:
        23:46:06.770: g_object_unref: assertion ‘G_IS_OBJECT (object)’ failed
        sorry sir , my english not fluent
        Reply
Kevin
May 15, 2022, 16:16
Thanks sir,but I have question. how i know my driver works well? i type lsmod | grep -i nvidia
nvidia_drm 69632 1
nvidia_modeset 1167360 2 nvidia_drm
nvidia_uvm 1204224 0
nvidia 39153664 122 nvidia_uvm,nvidia_modeset
in my gnome settings > about on option graphics = ” AMD renoir/AMD renoir” it means my nvidia not work? , how to detect in settings? and how to make nvidia works in heavy load example in games, machine learning, so what should i do?? and how to make nvidia switch to igp easily like in ubuntu with “prime-select”.
Reply
- Andrei Nevedomskii Post author
  May 15, 2022, 17:29
  Hey Kevin,
  > how i know my driver works well?
  There are multiple ways to check that, here’s an askubuntu thread with a few examples.
  So, you can use nVidia settings app, or nvidia-smi command line tool, or maybe even just run this command:
  cat /proc/driver/nvidia/gpus/0000:01:00.0/power
  In my case it returns the following info:
  Runtime D3 status: Enabled (fine-grained)
  Video Memory: Off
  GPU Hardware Support:
  Video Memory Self Refresh: Supported
  Video Memory Off: Supported
  Power Limits:
  Default: N/A milliwatts
  GPU Boost: N/A milliwatts
  > in my gnome settings > about on option graphics = ” AMD renoir/AMD renoir” it means my nvidia not work?
  If you’re using Fedora 36, then probably you’re also using Wayland as display server (starting with Fedora 36, Wayland is used by default even with NVidia driver). On Wayland NVidia graphics cards wouldn’t show up in the settings > about screen, that’s a known issue. But if you’ll login into your session using X11, then you should see your graphics card appear there.
  > and how to make nvidia works in heavy load example in games, machine learning, so what should i do??
  Here are a few articles about how to use NVidia GPU on laptops with hybrid graphics:
  https://docs.fedoraproject.org/en-US/quick-docs/how-to-set-nvidia-as-primary-gpu-on-optimus-based-laptops/
  https://rpmfusion.org/Howto/Optimus
  > and how to make nvidia switch to igp easily like in ubuntu with “prime-select”.
  To run an app using the discrete graphics card you can right click an app in the app drawer and pick “Lunch using Discrete Graphics Card”, like on this screenshot:
  Reply
Ryan D. Silva
April 14, 2022, 07:05
Hello! looks like fedora 36 received signed driver support, can you make a post dedicated to this new tool?
https://src.fedoraproject.org/fork/nvieville/rpms/akmods/blob/secure_boot_key_features/f/README.secureboot
Reply
- Andrei Nevedomskii Post author
  May 17, 2022, 11:41
  Hey Ryan,
  That’s the sources used to build the COPRs from the article. Nevertheless, you are correct, Fedora 36 now supports automatic driver signing officially. Here’s a post for that: https://blog.monosoul.dev/2022/05/17/automatically-sign-nvidia-kernel-module-in-fedora-36/ .
  Reply
KylinDemons
April 9, 2022, 12:44
Thanks,this works well for me.If I have the two moded packages(kmodtool akmods) installed,is it possible to have other kernel modules signed(such as vmnet in vmware workstation)?
Reply
- Andrei Nevedomskii Post author
  April 10, 2022, 21:54
  Hey, yep, totally possible.
  Reply
squizzi
March 17, 2022, 19:10
This worked great, thanks so much for putting this together.
Reply
Dave
February 15, 2022, 20:50
Normally about half way through a walkthrough like this there is just one thing that doesn’t work. This is different absolutely perfect Thankyou.
Reply
- Andrei Nevedomskii Post author
  February 25, 2022, 11:12
  You’re welcome!
  Reply
Vladyslav
February 12, 2022, 02:30
There were no differences with the instructions, but for some reason it did not work.
In the end this worked for me – https://github.com/larsks/akmod-sign-modules
Reply
- Andrei Nevedomskii Post author
  February 15, 2022, 00:17
  Hey Vladyslav,
  I wonder what went wrong there, since it’s been working fine for me so far
  But anyway, I’m glad you found a solution that worked for you!
  Reply
Alan Delgado
February 8, 2022, 20:31
Thank you so much for this tutorial, it worked perfectly and it was very easy to follow. Recently I installed Windows 11 and it requires secure boot enabled, so installing Nvidia drivers on Fedora is more complicated.
Reply
- Andrei Nevedomskii Post author
  February 8, 2022, 20:33
  Hey Alan,
  You’re welcome!
  Reply

Automatically sign NVidia Kernel module in Fedora 35

AUTHOR

Andrei Nevedomskii

Leave a comment Cancel reply

18 thoughts on “Automatically sign NVidia Kernel module in Fedora 35”