Before Fedora 36 it was a bit problematic to automatically sign kernel modules the same way Ubuntu does that. But starting with this release, you can do that in just a few easy steps. Here’s how to automatically sign NVidia kernel module in Fedora 36.
Before we start, lets make sure some preconditions are met:
- you should already have Secure Boot enabled;
- you don’t have NVidia driver installed yet;
- and you should have Fedora 36 installed. 😉
I tested this guide with Fedora 36. For older versions you can follow this guide.
If you’re upgrading from Fedora 35, please follow this guide.
This guide is an a bit extended version of the official guide available at rpmfusion.
Time needed: 10 minutes.
Here’s how to automatically sign NVidia kernel module in Fedora 36
- Install the tools required for auto signing to work
sudo dnf install kmodtool akmods mokutil openssl
- Generate a signing key
sudo kmodgenca -a
- Initiate the key enrollment
This will make Linux kernel trust drivers signed with your key
sudo mokutil --import /etc/pki/akmods/certs/public_key.der
You will be asked to enter a password, it doesn’t have to be very strong, just make sure to remember it. You’ll only need it once during step 5. - Reboot to enroll the key
sudo reboot
- Enroll the key
After reboot you will see MOK Manager interface and will be asked to enroll the key. Probably if you ever installed nVidia drivers in Ubuntu with Secure boot enabled, you’ve seen this interface before.
First select “Enroll MOK
“.
Then “Continue
“.
Hit “Yes
” and enter the password from step 3.
Then select “OK
” and your device will reboot again. - Install NVidia driver
Now just install NVidia driver like you would typically do.
sudo dnf install gcc kernel-headers kernel-devel akmod-nvidia xorg-x11-drv-nvidia xorg-x11-drv-nvidia-libs xorg-x11-drv-nvidia-libs.i686
- Make sure the kernel modules got compiled
sudo akmods --force
- Make sure the boot image got updated as well
sudo dracut --force
- Reboot your device
sudo reboot
Now that you’re done, make sure to verify the driver got loaded after reboot:
$> lsmod | grep -i nvidia
nvidia_drm 73728 1
nvidia_modeset 1150976 2 nvidia_drm
nvidia 36954112 129 nvidia_modeset
drm_kms_helper 311296 2 nvidia_drm,i915
drm 630784 28 drm_kms_helper,nvidia,nvidia_drm,i915,ttm
if you have output similar to the one above, then everything went smoothly and you’re all set!
I hope this was helpful.
Happy hacking!
15 thoughts on “Automatically sign NVidia Kernel module in Fedora 36”
Thanks for this! Needed secure boot to be on. Only issue I now have is that I do not get the driver in wayland but works in xorg. any solutions to be able to use wayland?
Thank you! Thank so much! I recently installed Fedora 36, but I couldn’t install the Nvidia driver. “NVIDIA kernel module missing”error.
Thanks to your advice, everything worked out as it should. Next -Steam and games)
I had an issue that my user was not in the video group. So the driver was able to authenticate to use the libEGL.
Adding my user to the video group helped me out. Maybe useful for some other.
Hey Chris, thanks for sharing!
HI Andrei, Thank you for this post. I see in step 6 that you are installing xorg-x11-drv-nvidia-libs.i686 – is there a reason why we do not choose the x86_64 version of this?
Hey Raju,
No particular reason, I just copied the list of packages from this article: https://docs.fedoraproject.org/en-US/quick-docs/how-to-set-nvidia-as-primary-gpu-on-optimus-based-laptops/#_step_4_install_the_driver_and_its_dependencies .
Although, if you’re going to install Steam, then you’d probably need those libraries, since Steam is only x86.
Got it. Thank you Andrei. Just installed Steam 😀
If you’re a lazy bastard like me, do steps 1-5 and then install the Nvidia driver via “Software”. Works too.
Lol, and I thought I mastered the art of laziness
Hello
I just upgraded my dual boot setup from Win10 to Win11. In the process I also enabled Secureboot although it was not compulsory (to my surprise). Anyways my dual boot Fedora36 first booted in kernel_lockdown mode. I ran a dnf update to check if the update would automatically do the stuff required to not boot in kernel_lockdown but no. Anyways I am trying your instructions but I cannot find the kmodgenca command anywhere on my system even though all the required packages are installed. If I run rpm -ql on kmodtool akmods mokutil – none of them list the kmodgenca file. Whats missing here? How can I obtain the kmodgenca tool?
Hey!
> Anyways my dual boot Fedora36 first booted in kernel_lockdown mode
AFAIK, when secure boot is on, it will always boot in
kernel_lockdown
mode.> Whats missing here? How can I obtain the kmodgenca tool?
If I run
dnf provides /usr/sbin/kmodgenca
, here’s what I get:Last metadata expiration check: 3 days, 9:05:03 ago on Tue 17 May 2022 09:22:32.
akmods-0.5.7-7.fc36.noarch : Automatic kmods build and install tool
Repo : fedora
Matched from:
Filename : /usr/sbin/kmodgenca
akmods-0.5.7-8.fc36.noarch : Automatic kmods build and install tool
Repo : @System
Matched from:
Filename : /usr/sbin/kmodgenca
akmods-0.5.7-8.fc36.noarch : Automatic kmods build and install tool
Repo : updates
Matched from:
Filename : /usr/sbin/kmodgenca
So,
kmodgenca
is provided byakmods
.I am sorry but I was hallucinating! I thought I was already on F36…. sheesh! Upgrading now.
PS: do you know if one can upgrade properly with kernel in lockdown mode?
Yes, you can. I did that. 🙂
The only thing you can’t do with kernel in lockdown mode is hibernate your laptop. Well, and load unsigned drivers. Everything else should work fine AFAIK.
Done! Thank you for the g simple instructional Blog making it look so easy.
You’re welcome!