How to install nvidia driver with secure boot enabled?
Try this:
- Step 1: Download latest driver from NVIDIA website, https://www.geforce.com/drivers.
- Step 2: Create new pair private key (Nvidia.key) and public key (Nvidia.der) by entering command:
openssl req -new -x509 -newkey rsa:2048 -keyout PATH_TO_PRIVATE_KEY -outform DER -out PATH_TO_PUBLIC_KEY -nodes -days 36500 -subj "/CN=Graphics Drivers"
Example:
openssl req -new -x509 -newkey rsa:2048 -keyout /home/itpropmn07/Nvidia.key -outform DER -out /home/itpropmn07/Nvidia.der -nodes -days 36500 -subj "/CN=Graphics Drivers"
- Step 3: Enroll public key (nvidia.der) to MOK (Machine Owner Key) by entering command:
sudo mokutil --import PATH_TO_PUBLIC_KEY
Example:
sudo mokutil --import /home/itpropmn07/Nvidia.der
--> This command requires you create password for enrolling. Afterwards, reboot your computer, in the next boot, the system will ask you enroll, you enter your password (which you created in this step) to enroll it. Read more: https://sourceware.org/systemtap/wiki/SecureBoot
- Step 4: For the first time install NVidia driver, you need to disable Nouveau kernel driver by entering command:
echo options nouveau modeset=0 | sudo tee -a /etc/modprobe.d/nouveau-kms.conf; sudo update-initramfs -u
--> Reboot.
-Step 5: Install driver by entering command
sudo sh ./XXXXXX.run -s --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY
where:
XXXXXX
: name of file installer (download from NVIDIA).
PATH_TO_PRIVATE_KEY
: full path to private key. If you place in home folder, use /home/USER_NAME/
instead of ~
PATH_TO_PUBLIC_KEY
: full path to public key. If you place in home folder, use /home/USER_NAME/
instead of ~
Example:
sudo sh ./NVIDIA-Linux-x86_64-390.67.run -s --module-signing-secret-key=/home/itpropmn07/Nvidia.key --module-signing-public-key=/home/itpropmn07/Nvidia.der
--> Done
Read more https://us.download.nvidia.com/XFree86/Linux-x86/319.32/README/installdriver.html
The recommendation from itpropmn07 works for me. There is one change I had to make which is the last step.
Instead of entering this command:
sudo sh ./XXXXXX.run -s --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY
I entered the command without -s
:
sudo sh ./XXXXXX.run --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY
With this command I could interactively install the driver.