Bug#953366: nvidia-kernel-dkms: module not loaded due lockdown

mando at april.org mando at april.org
Fri May 28 17:28:07 BST 2021 

Hello Paul,

Thank you for you message. In the following link, you'll find the two 
scripts I'm currently using.

https://forums.developer.nvidia.com/t/linux-nvidia-gpu-screens-are-not-yet-supported/120834/7 
<https://forums.developer.nvidia.com/t/linux-nvidia-gpu-screens-are-not-yet-supported/120834/7>

*Current status:*

On first nvidia-kernel-dkms installation*:
*

  * First, run enroll.sh to create the pair of key.
  * Second, reboot and enter the BIOS to enroll your keys.
  * Third, run sign.sh and reboot (*).

On linux-image/nvidia-kernel-dkms updates:

  * Run sign.sh to sign the new nvidia module. In my case, I know that I
    must run the script because I see a red line when booting under Debian.
  * Note that in sign.sh, KBUILD_VER is computed from the running
    kernel. This means that you might need to reboot on the new kernel
    before running sign.sh. You could also adapt the script for every
    installed kernel.
  * Then, reboot (*).

*Wish list:*

  * nvidia-kernel-dkms should first determine whether the secure boot is
    enabled or not. If so, it should create a new pair of keys (if not
    yet existing) and indicate the procedure to enroll the key in the BIOS.
  * nvidia-kernel-dkms should install a kind of post-install rule for
    linux-image (I don't know if it's possible) to run sign.sh for the
    new kernel.

Best regards,
mando

(*) You could probably just unload/reload nvidia module and restart X 
server. I reboot because it is simpler.

Le 28/05/2021 à 15:07, Paul Slootman a écrit :
> On Tue 14 Apr 2020, mando at april.org wrote:
>> My problem is solved.
>>
>> It was happening because I did signed nvidia-kernel.ko as explained here in:
>> https://wiki.debian.org/SecureBoot
>>
>> In the details, to automate the process for future nvidia-kernel-dmks
>> update, I relied on this link:
>> https://gist.github.com/dop3j0e/2a9e2dddca982c4f679552fc1ebb18df
> It would be helpful if you could write the specifics of that in this
> bug report, as that page is no longer available.
>
>
> Regards,
> Paul

More information about the pkg-nvidia-devel mailing list