This script automates the process of signing NVIDIA kernel modules to ensure they can be loaded successfully on systems with Secure Boot enabled.
When Secure Boot is active on a Linux system, unsigned kernel modules are typically blocked from loading. Proprietary NVIDIA drivers often come as unsigned kernel modules, especially if you build them yourself, as I do, which can prevent the graphics card from functioning correctly. This script addresses this by finding NVIDIA kernel modules and signing them with a user-provided Machine Owner Key (MOK). Once signed and the MOK is enrolled in your UEFI firmware, these modules will be trusted and allowed to load.
Before running this script, ensure you have the following:
-
MOK Keys: A private key (MOK.key) and its corresponding DER-encoded public certificate (MOK.der). This script expects the *.key & *.der files to be in the same directory as the script when you run it.
- If you only have a .crt file, you can convert it to .der using OpenSSL:
sudo openssl x509 -in MOK.crt -outform der -out MOK.der
- If you only have a .crt file, you can convert it to .der using OpenSSL:
-
pesign utility: This tool is used to verify signatures. Install it if you don't have it (e.g., sudo apt install pesign on Debian/Ubuntu, sudo dnf install pesign on Fedora).
-
Kernel Headers: The kernel headers for your currently running kernel must be installed, as they contain the sign-file script used for signing. The script expects them at /usr/src/linux-headers-$(uname -r)/scripts/sign-file.
-
Root Privileges: The script modifies files in /lib/modules/ and uses sign-file, both of which require root privileges. You must run the script with sudo.
-
Place Keys: Ensure MOK.key and MOK.der are in the same directory as this script.
-
Make Executable:
chmod +x sign_nvidia_modules.sh # Or whatever you name the script -
Run the Script:
sudo ./sign_nvidia_modules.sh -
Enroll MOK (Crucial!): If you haven't already, you must enroll your MOK.der public key into your UEFI firmware's MOK list. This is typically done using mokutil.
sudo mokutil --import MOK.derYou will be prompted to set a password. After running this, reboot your system, and a Blue screen (MOK management screen) will appear during boot. Follow the (often challenging to understand) instructions to enroll the key using the password you set. In my case the mok utility appears to only support the fat32 filesytem, so I copy the signing keys under the /boot/efi path, which is mapped to a fat32 partition during the debian install.
-
Reboot: After the script completes and you've enrolled your MOK (if necessary), reboot your system to allow the signed modules to load.
- Signing Kernel Modules for Secure Boot - A detailed guide on kernel module signing by Guy Rutenberg