Secure boot prevents nvidia driver install?

[dos2unix]

I have two linux systems with Nvidia GeForce cards in them. Fedora39 and Arch 24.03.01.
Ever since the 6.6.x kernels, my nvidia drivers have failed to install. Not a real big deal, it just falls back to Nouveau.
I figured I would research it later. I have secure boot enabled on both distro's.
After fighting with this for a while, I gave up on the vendor packages, and I decided to download the drivers straight from
the nvidia website. As it was going through the install, it said I signed_module_security enabled in my kernel.
It said I wouldn't be able to install unsigned libraries. So I have it "self-sign" them with nvidia's signing keys.
I figured they were "good enough". But no, after it attempts to install them, it says because I have secure boot enabled
it can't install the keys. So I go into the UEFI and disable secure boot.

Sure enough, I can install the nvidia drivers now. So I disable it on my Fedora system also. I reinstall the nvidia packages rpms
from rpmfusion... and everything works.

I didn't even need the nvidia run file, I was able to install the regular rpms. I don't know if anyone else has ever run into this.

 

[wizardfromoz]

I don't know if anyone else has ever run into this.

I hadn't.

I use AMD on my go to rig, but one of my other old rigs has nVidia. I will bookmark this Thread.

Thanks for sharing, Marvin.

 

[f33dm3bits]

I have two linux systems with Nvidia GeForce cards in them. Fedora39 and Arch 24.03.01.
I figured I would research it later. I have secure boot enabled on both distro's.
I don't know if anyone else has ever run into this.

I don't normally use secureboot, I have used it when I ran Fedora to see what the experience would be like. But as soon as you want to load custom drivers, you will have to manually sign them which I find too much effort for what it's worth. And there are controversies about secureboot even though it may actually add some security for some usecases, but that can only be decided by the owner of the system of it does that for them and if it's worth it. My new system won't have an Nvidia gpu but an AMD gpu, so I may just try it again just out of curiosity.

 

[CaffeineAddict]

I didn't have this issue because my MSI mobo does not let me update nvram variables to update secure boot with mokutil due to lack of implementation in UEFI firmware. (took me a lot of effort to diagnose this btw.)

But otherwise if you don't have this issue then it should be as simple as follows:
1. disabling secure boot first
2. creating keys with mokutil and adding them to UEFI
3. signing nvidia drivers with installer option and created keys during installment as follows:

sudo bash ./NVIDIA-Linux-x86_64-535.154.05.run \
--module-signing-secret-key=/var/lib/shim-signed/mok/MOK.priv \
--module-signing-public-key=/var/lib/shim-signed/mok/MOK.der

4. re-enabling secure boot

Sadly I haven't tested this due to a bug in my firmware but I'm sure this is how it's done according to nvidia and debian docs.
So in general (but not tested), it follows you do need to disable secure boot to be able to install the driver.