Automatically signs the NVIDIA kernel modules and/or builds an RPM package to be layered using rpm-ostree, allowing to secure boot the OS (Fedora Silverblue and Kinoite 36+) without making the deployment mutable.
Alternatively, check out silverblue-akmods-keys@CheariX for a (better!) workaround to automatically sign any modules built by akmods, by layering just one single package.
usage: build-kmod-nvidia-signed-rpm [-h|--help]
[-y|--assume-yes]
[-n|--assume-no]
[-u|--unsigned]
This is a Work In Progress, and as such it hasn't been thoroughly tested. Check if Fedora is updated first:
rpm-ostree refresh-md &&
rpm-ostree ugrade
If required, restart your OS in order to boot into the updated deployment. Afterwards, make sure you pin it with:
sudo ostree admin pin 0
That way, you have a savepoint to which you can rollback to in case anything goes south. You have been warned!
On Silverblue/Kinoite, first layer the required Nvidia proprietary driver package with:
rpm-ostree install akmod-nvidia
# rpm-ostree install akmod-nvidia-470xx # GeForce 600/700 series
# rpm-ostree install akmod-nvidia-390xx # GeForce 400/500 series
# rpm-ostree install akmod-nvidia-340xx # GeFore 8/9/200/300 series
Also install the additional packages below as needed:
xorg-x11-drv-nvidia-cuda: CUDA driver libraries.xorg-x11-drv-nvidia-power: preserve memory allocation on suspend/resume.
Afterwards, reboot your machine.
The following kernel arguments might be required to successfully load the drivers:
rpm-ostree kargs --append-if-missing=rd.driver.blacklist=nouveau \
--append-if-missing=modprobe.blacklist=nouveau \
--append-if-missing=nvidia-drm.modeset=1
Create a new Machine Owner Key if required:
sudo bash -c '[ ! -e /etc/pki/akmods/certs/public_key.der ] && kmodgenca'
Enroll it afterwards (choose a password to be entered on next boot):
mokutil --import /etc/pki/akmods/certs/public_key.der'
Download or clone the repository to generate a new RPM file with the signed modules and layer the package:
sudo bash build-kmod-nvidia-signed-rpm --assume-yes
Append --unsigned if your modules are already signed (e.g., by using silverblue-akmods-keys@CheariX).
To later update the deployed kernel or Nvidia driver, remove the layered package when issuing the command:
rpm-ostree update --uninstall kmod-nvidia-signed
Reboot into your new deployment and execute the script again in order to layer the new Nvidia kernel modules:
sudo bash build-kmod-nvidia-signed-rpm --assume-yes
-
Many thanks to @CheariX for debugging the issue and coming up with a solution to sign compressed modules on Fedora 36+.
-
For more information, please check the corresponding ticket: fedora-silverblue#272.