Monosoul's Dev Blog A blog to write down dev-related stuff I face
Automatically signing nVidia kernel module in Fedora 35

Automatically sign NVidia Kernel module in Fedora 35

If you’ve migrated to Fedora from Ubuntu and you have Secure Boot enabled, you might have noticed a significant difference between the 2 distros: Fedora doesn’t automatically sign NVidia kernel module like Ubuntu does. This article is to help you make Fedora as comfortable to use as Ubuntu is in that regard.

Before we start, let’s make sure some preconditions are met:

  • you should already have Secure Boot enabled;
  • you don’t have NVidia driver installed yet;
  • and you should have Fedora installed. 😉

This guide was tested with Fedora 34 and 35, and probably works with older versions.

IMPORTANT: Fedora 36 now has official support for module auto signing. If you’re doing a fresh install of Fedora 36, make sure to follow this guide instead.

Time needed: 10 minutes

Here’s how to automatically sign NVidia kernel module in Fedora 35 and earlier

  1. Install mokutil and openssl

    sudo dnf install mokutil openssl

  2. Generate a signing key

    sudo openssl req -new -x509 -newkey rsa:2048 -keyout ~/driver-signing.key -outform DER -out ~/driver-signing.der -nodes -days 36500 -subj "/CN=Private Driver Signing"

  3. Initiate the key enrollment

    This will make Linux kernel trust drivers signed with your key
    sudo mokutil --import ~/driver-signing.der
    You will be asked to enter a password, it doesn’t have to be very strong, just make sure to remember it. You’ll only need it once during step 5.

  4. Reboot to enroll the key

    sudo reboot

  5. Enroll the key

    After reboot you will see MOK Manager interface and will be asked to enroll the key. Probably if you ever installed nVidia drivers in Ubuntu with Secure boot enabled, you’ve seen this interface before.
    First select “Enroll MOK“.
    Then “Continue“.
    Hit “Yes” and enter the password from step 3.
    Then select “OK” and your device will reboot again.

  6. Enable 2 COPRs

    We’re gonna need modified versions of tools used to compile kernel modules from those repositories.
    Thanks to Elia Geretto for the repositories.
    sudo dnf copr enable egeretto/kmodtool-secureboot
    sudo dnf copr enable egeretto/akmods-secureboot

    sudo dnf update --refresh

  7. Install the modified versions of kmodtool and akmods

    sudo dnf install kmodtool akmods

  8. Move the public and private parts of the key to the akmods dir and set secure permissions

    sudo mv ~/driver-signing.der /etc/pki/akmods/certs/public_key.der
    sudo chown root:akmods /etc/pki/akmods/certs/public_key.der
    sudo chmod 640 /etc/pki/akmods/certs/public_key.der
    sudo mv ~/driver-signing.key /etc/pki/akmods/private/private_key.priv
    sudo chown root:akmods /etc/pki/akmods/private/private_key.priv
    sudo chmod 640 /etc/pki/akmods/private/private_key.priv

  9. Install NVidia driver

    Now just install NVidia driver like you would typically do.
    sudo dnf install gcc kernel-headers kernel-devel akmod-nvidia xorg-x11-drv-nvidia xorg-x11-drv-nvidia-libs xorg-x11-drv-nvidia-libs.i686

  10. Make sure the kernel modules got compiled

    sudo akmods --force

  11. Make sure the boot image got updated as well

    sudo dracut --force

  12. Reboot your device

    sudo reboot

Now that you’re done, make sure to verify the driver got loaded after reboot:

$> lsmod | grep -i nvidia

nvidia_drm             73728  1
nvidia_modeset       1150976  2 nvidia_drm
nvidia              36954112  129 nvidia_modeset
drm_kms_helper        311296  2 nvidia_drm,i915
drm                   630784  28 drm_kms_helper,nvidia,nvidia_drm,i915,ttm
Code language: Gradle (gradle)

if you have output similar to the one above, then everything went smoothly and you’re all set!

I hope this was helpful.

Happy hacking!

Upgrade to Fedora 36:

If you’re installing Fedora 36 from scratch, please, make sure to follow this guide instead.

If you have just upgraded to Fedora 36 and noticed the driver doesn’t load anymore, do the following steps:

  • First remove the kernel module(s) that got compiled, but not signed:
    sudo dnf remove $(dnf list --installed | grep -e "^kmod-nvidia.*\.fc36." | awk '{print $1}')
  • Remove the old certificates, you don’t need them anymore:
    sudo rm -f /etc/pki/akmods/certs/public_key.der
    sudo rm -f /etc/pki/akmods/private/private_key.priv
  • Remove the COPRs, you don’t need them anymore as well:
    sudo dnf copr remove egeretto/kmodtool-secureboot
    sudo dnf copr remove egeretto/akmods-secureboot
  • Now let’s generate a new certificate pair using the official tool:
    sudo kmodgenca -a
  • Then import the certificate:
    sudo mokutil --import /etc/pki/akmods/certs/public_key.der
  • Reinstall nvidia kernel module:
    sudo dnf reinstall akmod-nvidia
  • Regenerate and sign NVidia kernel module:
    sudo akmods --force
  • Reboot and follow the step #5 of the guide above (Enroll the key).

After reboot you should see the module loaded again.

Like it? Share it!

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

18 thoughts on “Automatically sign NVidia Kernel module in Fedora 35”

    • Andrei Nevedomskii
    • Andrei Nevedomskii
    • Andrei Nevedomskii