Before Fedora 36 it was a bit problematic to automatically sign kernel modules the same way Ubuntu does that. But starting with this release, you can do that in just a few easy steps. Here’s how to automatically sign NVidia kernel module in Fedora 36.
Before we start, lets make sure some preconditions are met:
- you should already have Secure Boot enabled;
- you don’t have NVidia driver installed yet;
- and you should have Fedora 36 installed. 😉
I tested this guide with Fedora 36. For older versions you can follow this guide.
If you’re upgrading from Fedora 35, please follow this guide.
This guide is an a bit extended version of the official guide available at rpmfusion.
Time needed: 10 minutes.
Here’s how to automatically sign NVidia kernel module in Fedora 36
- Install the tools required for auto signing to work
sudo dnf install kmodtool akmods mokutil openssl
- Generate a signing key
sudo kmodgenca -a
- Initiate the key enrollment
This will make Linux kernel trust drivers signed with your key
sudo mokutil --import /etc/pki/akmods/certs/public_key.der
You will be asked to enter a password, it doesn’t have to be very strong, just make sure to remember it. You’ll only need it once during step 5. - Reboot to enroll the key
sudo reboot
- Enroll the key
After reboot you will see MOK Manager interface and will be asked to enroll the key. Probably if you ever installed nVidia drivers in Ubuntu with Secure boot enabled, you’ve seen this interface before.
First select “Enroll MOK
“.
Then “Continue
“.
Hit “Yes
” and enter the password from step 3.
Then select “OK
” and your device will reboot again. - Install NVidia driver
Now just install NVidia driver like you would typically do.
sudo dnf install gcc kernel-headers kernel-devel akmod-nvidia xorg-x11-drv-nvidia xorg-x11-drv-nvidia-libs xorg-x11-drv-nvidia-libs.i686
- Make sure the kernel modules got compiled
sudo akmods --force
- Make sure the boot image got updated as well
sudo dracut --force
- Reboot your device
sudo reboot
Now that you’re done, make sure to verify the driver got loaded after reboot:
$> lsmod | grep -i nvidia
nvidia_drm 73728 1
nvidia_modeset 1150976 2 nvidia_drm
nvidia 36954112 129 nvidia_modeset
drm_kms_helper 311296 2 nvidia_drm,i915
drm 630784 28 drm_kms_helper,nvidia,nvidia_drm,i915,ttm
Code language: Gradle (gradle)
if you have output similar to the one above, then everything went smoothly and you’re all set!
I hope this was helpful.
Happy hacking!
49 thoughts on “Automatically sign NVidia Kernel module in Fedora 36”
Very clean and insightful. Thank You.
Thank you very much! After trying for hours i finally found this guide and it worked
Thanks. I asked about automatic decryption workaround in my previous comment and it seems to be fixed itself now. Sorry for bothering you.
Thank you very much. This is the only guide that helped me to install Nvidia drivers on my Fedora 37.
If it’s not much to ask can you kindly guide me to get around following problem. I would be so grateful.
My root drive was setup to automatically decrypt according to this guide and it doesn’t work after correctly installing Nvidia drivers.
https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
I’ve tried unbinding, rebinding, regenerating but nothing worked.
Thanks in advance
Great! Thank you for this easy to follow tutorial! Worked perfect on my Fedora 38 install on my Aorus 15p XD laptop with nvidia 3070 / Intel UHD graphics!
Thanks for the great post
I found that every time I receive a kernel update, booting into the new kernel I see “nvidia module load error, fallback to nouveau” or smthg.
As a fix once it’s booted, I have to remove & install again all the nvidia packages (a simple `dnf reinstall` doesn’t help )
I’m not familiar with the kernel & modules but is it possible to automate that process?
Thanks in advance
Hey Amir,
That’s weird. I just did a kernel update and the kernel module got compiled during reboot, so the system booted up with the new kernel just fine. Maybe we have different setups. I’d suggest asking about it here: https://ask.fedoraproject.org/ , maybe that’s a bug.
Same issue. Even after going through all the steps needed to automate the signing pocess, I often need to uninstall/reinstall the NVIDIA drivers when the kernel gets updated in order for it to be properly signed and loaded with Secure Boot enabled.
I’d suggest reporting it to Fedora devs then.
Just out of curiosity though, what kind of device do you have? Is it a laptop or a desktop computer? If it’s the former then do you have hybrid graphics?
Yes. It’s an MSI Radeir GE66 laptop with a 12700H and an NVIDIA GTX 3070 Ti and I’m running it hybrid mode (I can switch off the Intel GPU completely if I want to).
Can this technique be used to automatically sign other kernel modules such as the ones required by vmware workstation or virtualbox?
Hey Chris,
Yep, works with any other kernel module as well. I tested it with TLP some time ago.
Is the procedure any different?
The only difference is that you install another driver instead of nvidia 🙂 And if you have already gone through the process you can just install the new driver, no need to go through key generation and other stuff.
thank you for this blog, i am using silverblue 36 with the same problem, i already attempted other fixs with no luck, will this work with silverblue? and should i reinstall and start fresh which would be easy right now, or uninstall nvida drivers ?
Hey, as far as I know there’s no solution for Silverblue atm.
I haven’t tried it myself yet (am also on Silverblue), but I did see someone actually managed to do this on Silverblue as well. Here’s github page with instructions:
https://github.com/nelsonaloysio/build-kmod-nvidia-signed-rpm
Use at your own discretion, as I said, I haven’t tried it myself.
Great write-up! Will we experience any issues if the kernel gets updated or if we upgrade from Fedora 36 to Fedora 37 (and beyond)?
Hey Zeddie,
Nope, no issues, upgrade should be smooth. At least I don’t foresee any.
I think an update in Fedora 36 broke something. It won’t boot. Just a black screen after the first Fedora splash screen. I can’t even hit ESC to see the boot process.
After booting into the older kernel, I thought it was just a bad updated and tried again. Now I can’t boot into either. On my other computer, I noticed it removed kmod-nvidia. How do I fix this now? I don’t want to reinstall from scratch.
Have you tried giving it some time? After you install a new kernel or a new nvidia driver version it might run akmods tool to compile the module on the next boot. So you might just have to wait a bit till it compiles the new module.
How long does it take? I have a 5600X. It’s been at least 15 minutes. Will it take overnight?
Okay, that’s probably too long. I’d recommend trying to boot with
nouveau
enabled, you can do that by changing the command line for the boot option in GRUB, you need to remove argsrd.driver.blacklist=nouveau
andmodprobe.blacklist=nouveau
.To get into the boot menu you should press shift button during boot. When you get into the boot menu, press “
e
” to edit the option you want to boot, remove the args mentioned above and then pressCtrl+X
to boot it.If the system boots with
nouveau
driver, then the issue has something to do with the proprietary driver. If it still doesn’t boot after that then the root cause of the issue is something else.Before you responded, I went ahead and just reinstalled Fedora 36. I made sure everything is updated THEN I followed your steps. After the first reboot to sign the driver (where MOK asks for password), it looks to boot normally until the Fedora splash comes up, then when it’s suppose to have the animated circle, it just goes black. Can’t hit ESC to see the boot process.
Something changed with Fedora’s latest updates that causing this. I don’t know what.
I’ll give that a try when I get a chance. Thanks.
Did you ever get it to work? I have the same issue in fedora 38 and removing the blacklist from grub to get back the old drivers is the only way it works, I can’t use nvidia.
I mean is there a way to boot into a Fedora Live environment and use chroot to fix it? Do I have to reinstall kmod-nvidia? Do I need to resign?
I guess I need step-by-step since I’ve only chrooted in Arch, and not sure if that’s even an option in Fedora (and what the steps are).
Yes, you can chroot in Fedora. You can boot any live Linux image and then chroot into your installation.
One thing you can try is to change the grub config to load
nouveau
driver and see if the system boots. But as a first step I’d recommend to try to wait for the system to boot for a few minutes. As I mentioned maybe it just compiles the new kernel module.I seem to be missing `drm_kms_helper` and `drm` from the lsmod list, do I need these?
This is on a fresh fedora install. I did have secureboot disabled, I turned it on before I started this tutorial. I am wondering why these are missing. Followed your guide to the letter.
Hey Carlos,
As long as you see nvidia modules there it’s all good.
I don’t suppose there’s a way to do this for Centos Stream?
Hey Hugh, as long as
kmodtool
version in CentOS Stream supports module auto signing I think the process should be pretty similar there.Thank you for helping sir, I visited this website several times to install Nvidia drivers for Fedora Linux. And thank you for answering in the comments column in the previous session.
https://blog.monosoul.dev/2021/12/29/automatically-sign-nvidia-kernel-module-in-fedora/
Hey Kevin, glad it helped! 🙂
Thanks for this! Needed secure boot to be on. Only issue I now have is that I do not get the driver in wayland but works in xorg. any solutions to be able to use wayland?
Thank you! Thank so much! I recently installed Fedora 36, but I couldn’t install the Nvidia driver. “NVIDIA kernel module missing”error.
Thanks to your advice, everything worked out as it should. Next -Steam and games)
I had an issue that my user was not in the video group. So the driver was able to authenticate to use the libEGL.
Adding my user to the video group helped me out. Maybe useful for some other.
Hey Chris, thanks for sharing!
HI Andrei, Thank you for this post. I see in step 6 that you are installing xorg-x11-drv-nvidia-libs.i686 – is there a reason why we do not choose the x86_64 version of this?
Hey Raju,
No particular reason, I just copied the list of packages from this article: https://docs.fedoraproject.org/en-US/quick-docs/how-to-set-nvidia-as-primary-gpu-on-optimus-based-laptops/#_step_4_install_the_driver_and_its_dependencies .
Although, if you’re going to install Steam, then you’d probably need those libraries, since Steam is only x86.
Got it. Thank you Andrei. Just installed Steam 😀
If you’re a lazy bastard like me, do steps 1-5 and then install the Nvidia driver via “Software”. Works too.
Lol, and I thought I mastered the art of laziness
Hello
I just upgraded my dual boot setup from Win10 to Win11. In the process I also enabled Secureboot although it was not compulsory (to my surprise). Anyways my dual boot Fedora36 first booted in kernel_lockdown mode. I ran a dnf update to check if the update would automatically do the stuff required to not boot in kernel_lockdown but no. Anyways I am trying your instructions but I cannot find the kmodgenca command anywhere on my system even though all the required packages are installed. If I run rpm -ql on kmodtool akmods mokutil – none of them list the kmodgenca file. Whats missing here? How can I obtain the kmodgenca tool?
Hey!
> Anyways my dual boot Fedora36 first booted in kernel_lockdown mode
AFAIK, when secure boot is on, it will always boot in
kernel_lockdown
mode.> Whats missing here? How can I obtain the kmodgenca tool?
If I run
dnf provides /usr/sbin/kmodgenca
, here’s what I get:Last metadata expiration check: 3 days, 9:05:03 ago on Tue 17 May 2022 09:22:32.
akmods-0.5.7-7.fc36.noarch : Automatic kmods build and install tool
Repo : fedora
Matched from:
Filename : /usr/sbin/kmodgenca
akmods-0.5.7-8.fc36.noarch : Automatic kmods build and install tool
Repo : @System
Matched from:
Filename : /usr/sbin/kmodgenca
akmods-0.5.7-8.fc36.noarch : Automatic kmods build and install tool
Repo : updates
Matched from:
Filename : /usr/sbin/kmodgenca
So,
kmodgenca
is provided byakmods
.I am sorry but I was hallucinating! I thought I was already on F36…. sheesh! Upgrading now.
PS: do you know if one can upgrade properly with kernel in lockdown mode?
Yes, you can. I did that. 🙂
The only thing you can’t do with kernel in lockdown mode is hibernate your laptop. Well, and load unsigned drivers. Everything else should work fine AFAIK.
Done! Thank you for the g simple instructional Blog making it look so easy.
You’re welcome!