How to install nvidia driver with secure boot enabled?

drivers uefi nvidia secure-boot

Try this:

- Step 1: Download latest driver from NVIDIA website, https://www.geforce.com/drivers.

- Step 2: Create new pair private key (Nvidia.key) and public key (Nvidia.der) by entering command:

openssl req -new -x509 -newkey rsa:2048 -keyout PATH_TO_PRIVATE_KEY -outform DER -out PATH_TO_PUBLIC_KEY -nodes -days 36500 -subj "/CN=Graphics Drivers"

Example:

openssl req -new -x509 -newkey rsa:2048 -keyout /home/itpropmn07/Nvidia.key -outform DER -out /home/itpropmn07/Nvidia.der -nodes -days 36500 -subj "/CN=Graphics Drivers"

- Step 3: Enroll public key (nvidia.der) to MOK (Machine Owner Key) by entering command:

sudo mokutil --import PATH_TO_PUBLIC_KEY

Example:

sudo mokutil --import /home/itpropmn07/Nvidia.der

--> This command requires you create password for enrolling. Afterwards, reboot your computer, in the next boot, the system will ask you enroll, you enter your password (which you created in this step) to enroll it. Read more: https://sourceware.org/systemtap/wiki/SecureBoot

- Step 4: For the first time install NVidia driver, you need to disable Nouveau kernel driver by entering command:

echo options nouveau modeset=0 | sudo tee -a /etc/modprobe.d/nouveau-kms.conf; sudo update-initramfs -u

--> Reboot.

-Step 5: Install driver by entering command

sudo sh ./XXXXXX.run -s --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY

where:

XXXXXX: name of file installer (download from NVIDIA).

PATH_TO_PRIVATE_KEY: full path to private key. If you place in home folder, use /home/USER_NAME/ instead of ~

PATH_TO_PUBLIC_KEY: full path to public key. If you place in home folder, use /home/USER_NAME/ instead of ~

Example:

sudo sh ./NVIDIA-Linux-x86_64-390.67.run -s --module-signing-secret-key=/home/itpropmn07/Nvidia.key --module-signing-public-key=/home/itpropmn07/Nvidia.der

--> Done

Read more https://us.download.nvidia.com/XFree86/Linux-x86/319.32/README/installdriver.html


The recommendation from itpropmn07 works for me. There is one change I had to make which is the last step.

Instead of entering this command:

sudo sh ./XXXXXX.run -s --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY

I entered the command without -s:

sudo sh ./XXXXXX.run --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY

With this command I could interactively install the driver.

Related

Ubuntu on a USB stick - boot in both BIOS and UEFI modes
Ubuntu wakes up after few seconds of sleep [duplicate]
Recursively copy files from one directory to another
Is it possible to only allow specific packages updates from a PPA
Adobe will stop releasing new versions of Flash - what will happen to flash support in Ubuntu?
Snap application doesn't see files from another partition
How do I rebuild a corrupt dpkg status file?
How do I figure out what package something is in without resorting to Google?
How do I assign the output of a command to a variable?
How do I disable the touchpad while typing?
How do I enable compiz in Gnome Classic?
Touchpad is not recognized