verga
December 8, 2025, 8:37pm
1
After zypper dup (20251205, last update) I cannot enroll the key for the nvidia drivers.
~ 21:24 $ inxi -GSaz
System:
Kernel: 6.18.0-1-default arch: x86_64 bits: 64 compiler: gcc v: 15.2.1
clocksource: tsc avail: acpi_pm
parameters: BOOT_IMAGE=/boot/vmlinuz-6.18.0-1-default
root=UUID=9324222f-aca8-4f3e-aea7-a4f15c56b0fb splash=silent quiet
security=apparmor rd.driver.blacklist=nouveau mitigations=auto
Desktop: KDE Plasma v: 6.5.3 tk: Qt v: N/A info: frameworks v: 6.20.0
wm: kwin_wayland tools: avail: xscreensaver vt: 2 dm: SDDM Distro: openSUSE
Tumbleweed 20251205
Graphics:
Device-1: Intel Raptor Lake-S UHD Graphics vendor: Dell driver: i915
v: kernel alternate: xe arch: Xe process: Intel 10nm built: 2020-21 ports:
active: eDP-1 empty: DP-1, DP-2, DP-3, HDMI-A-1 bus-ID: 0000:00:02.0
chip-ID: 8086:a788 class-ID: 0300
Device-2: NVIDIA AD107GLM [RTX 1000 Ada Generation Laptop GPU]
vendor: Dell driver: N/A alternate: nouveau, nvidia_drm, nvidia
non-free: 550-580.xx+ status: current (as of 2025-11) arch: Lovelace
code: AD1xx process: TSMC n4 (5nm) built: 2022+ bus-ID: 0000:01:00.0
chip-ID: 10de:28b9 class-ID: 0300
Device-3: Microdia Integrated_Webcam_FHD driver: uvcvideo type: USB
rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-3:2 chip-ID: 0c45:6a25
class-ID: fe01 serial: <filter>
Display: wayland server: X.org v: 1.21.1.21 with: Xwayland v: 24.1.8
compositor: kwin_wayland driver: X: loaded: N/A unloaded: modesetting,vesa
alternate: fbdev,intel dri: iris,nouveau gpu: i915 display-ID: 0
Monitor-1: eDP-1 model: Samsung 0x4164 built: 2021 res: mode: 3840x2400
hz: 60 scale: 150% (1.5) to: 2560x1600 dpi: 284 gamma: 1.2
size: 344x215mm (13.54x8.46") diag: 406mm (16") ratio: 16:10
modes: 3840x2400
API: EGL v: 1.5 hw: drv: intel iris platforms: device: 0 drv: iris
device: 1 drv: swrast gbm: drv: iris surfaceless: drv: iris wayland:
drv: iris x11: drv: iris
API: OpenGL v: 4.6 compat-v: 4.5 vendor: intel mesa v: 25.3.1 glx-v: 1.4
direct-render: yes renderer: Mesa Intel Graphics (RPL-S)
device-ID: 8086:a788 memory: 61.01 GiB unified: yes display-ID: :0.0
API: Vulkan v: 1.4.328 layers: 3 device: 0 type: integrated-gpu
name: Intel Graphics (RPL-S) driver: mesa intel v: 25.3.1
device-ID: 8086:a788 surfaces: N/A device: 1 type: cpu name: llvmpipe
(LLVM 21.1.6 256 bits) driver: mesa llvmpipe v: 25.3.1 (LLVM 21.1.6)
device-ID: 10005:0000 surfaces: N/A
Info: Tools: api: clinfo, eglinfo, glxinfo, vulkaninfo
de: kscreen-console,kscreen-doctor gpu: nvidia-settings,nvidia-smi
wl: wayland-info x11: xdpyinfo, xprop, xrandr
~ 21:30 $
I tried
sudo mokutil --import /usr/share/nvidia-pubkeys/MOK-nvidia-driver-G06-580.105.08-44.1-default.der --root-pw
but it did not work.
List of nvidia packages:
S | Name | Type | Version | Arch | Repository
---+----------------------------------+---------+---------------------------+--------+--------------
i | kernel-firmware-nvidia | package | 20251018-1.1 | noarch | repo-oss
i | libnvidia-egl-gbm1 | package | 1.1.2-7.17 | x86_64 | repo-non-free
i | libnvidia-egl-gbm1-32bit | package | 1.1.2-7.12 | x86_64 | repo-non-free
i | libnvidia-egl-wayland1 | package | 1.1.20-52.3 | x86_64 | repo-non-free
i | libnvidia-egl-wayland1-32bit | package | 1.1.20-52.3 | x86_64 | repo-non-free
i | libnvidia-egl-x111 | package | 1.0.3-21.5 | x86_64 | repo-non-free
i | libnvidia-egl-x111-32bit | package | 1.0.3-21.4 | x86_64 | repo-non-free
i | libnvidia-gpucomp | package | 580.105.08-44.1 | x86_64 | repo-non-free
i | libnvidia-gpucomp-32bit | package | 580.105.08-44.1 | x86_64 | repo-non-free
i+ | nvidia-common-G06 | package | 580.105.08-44.1 | x86_64 | repo-non-free
i+ | nvidia-compute-G06 | package | 580.105.08-44.1 | x86_64 | repo-non-free
i+ | nvidia-compute-G06-32bit | package | 580.105.08-44.1 | x86_64 | repo-non-free
i+ | nvidia-compute-utils-G06 | package | 580.105.08-44.1 | x86_64 | repo-non-free
i+ | nvidia-driver-G06-kmp-default | package | 580.105.08_k6.17.6_1-44.1 | x86_64 | repo-non-free
i+ | nvidia-gl-G06 | package | 580.105.08-44.1 | x86_64 | repo-non-free
i+ | nvidia-gl-G06-32bit | package | 580.105.08-44.1 | x86_64 | repo-non-free
i+ | nvidia-libXNVCtrl | package | 580.105.08-47.1 | x86_64 | repo-non-free
i+ | nvidia-modprobe | package | 580.105.08-20.1 | x86_64 | repo-non-free
i+ | nvidia-persistenced | package | 580.105.08-2.1 | x86_64 | repo-non-free
i+ | nvidia-settings | package | 580.105.08-47.1 | x86_64 | repo-non-free
i+ | nvidia-userspace-meta-G06 | package | 580.105.08-24.1 | x86_64 | repo-non-free
i+ | nvidia-video-G06 | package | 580.105.08-44.1 | x86_64 | repo-non-free
i+ | nvidia-video-G06-32bit | package | 580.105.08-44.1 | x86_64 | repo-non-free
i+ | openSUSE-repos-Tumbleweed-NVIDIA | package | 20250728.9adc675-1.1 | x86_64 | repo-oss
The computer boot normally and I get to a wayland session (with the intel card).
hui
December 8, 2025, 8:43pm
2
Is the file name correct? See the SDB . Use tab-completion to find the correct file name.
verga
December 8, 2025, 8:47pm
3
I completed as usual the MOK enrollment in the blue screen, but it failed; then I tried this command, which I already used when forgetting to enroll just after an update. Could you give me the link to the correct command?
hui
December 8, 2025, 8:48pm
4
verga:
but it failed;
Was there a specific error message?
Did you already try to force the reinstallation of the kmp package viasudo zypper in -f nvidia-driver-G06-kmp-default
verga
December 8, 2025, 8:53pm
5
Nothing special: on the blue screen, after typing my PW it said “Failed to enroll a new key”
verga
December 8, 2025, 8:59pm
6
After forcing the kernel reinstalling I get the same error. In complement it says something about 0x2 (but I forgot), and then the it cannot enroll the key.
verga
December 8, 2025, 9:07pm
7
List of keys:
~ 21:59 $ ll /usr/share/nvidia-pubkeys/
total 80K
-rw-r--r-- 1 root root 894 sept. 15 2024 MOK-nvidia-driver-G06-550.100-25.1-default.der
-rw-r--r-- 1 root root 900 oct. 6 2024 MOK-nvidia-driver-G06-550.107.02-26.1-default.der
-rw-r--r-- 1 root root 894 oct. 6 2024 MOK-nvidia-driver-G06-550.120-27.1-default.der
-rw-r--r-- 1 root root 894 oct. 27 2024 MOK-nvidia-driver-G06-550.120-28.1-default.der
-rw-r--r-- 1 root root 900 nov. 17 2024 MOK-nvidia-driver-G06-550.127.05-27.1-default.der
-rw-r--r-- 1 root root 894 janv. 19 2025 MOK-nvidia-driver-G06-550.135-28.1-default.der
-rw-r--r-- 1 root root 900 janv. 26 2025 MOK-nvidia-driver-G06-550.144.03-30.2-default.der
-rw-r--r-- 1 root root 898 juil. 21 2024 MOK-nvidia-driver-G06-550.90.07-23.1-default.der
-rw-r--r-- 1 root root 900 mars 25 2025 MOK-nvidia-driver-G06-570.124.04-32.1-default.der
-rw-r--r-- 1 root root 900 avril 20 2025 MOK-nvidia-driver-G06-570.133.07-33.1-default.der
-rw-r--r-- 1 root root 894 mai 18 2025 MOK-nvidia-driver-G06-570.144-34.1-default.der
-rw-r--r-- 1 root root 900 juin 15 15:47 MOK-nvidia-driver-G06-570.153.02-36.1-default.der
-rw-r--r-- 1 root root 894 juil. 27 10:09 MOK-nvidia-driver-G06-570.169-37.1-default.der
-rw-r--r-- 1 root root 900 août 23 17:15 MOK-nvidia-driver-G06-570.172.08-37.1-default.der
-rw-r--r-- 1 root root 898 févr. 28 2025 MOK-nvidia-driver-G06-570.86.16-31.1-default.der
-rw-r--r-- 1 root root 900 déc. 8 21:55 MOK-nvidia-driver-G06-580.105.08-44.1-default.der
-rw-r--r-- 1 root root 898 août 31 09:59 MOK-nvidia-driver-G06-580.76.05-39.1-default.der
-rw-r--r-- 1 root root 898 oct. 5 09:33 MOK-nvidia-driver-G06-580.82.07-39.1-default.der
-rw-r--r-- 1 root root 898 oct. 9 09:18 MOK-nvidia-driver-G06-580.95.05-40.1-default.der
-rw-r--r-- 1 root root 898 nov. 9 08:31 MOK-nvidia-driver-G06-580.95.05-41.3-default.der
(your link was broken: I found the information here: https://en.opensuse.org/SDB:NVIDIA_drivers ); it seems that the name template do not match the “kernel_flavor”
verga
December 8, 2025, 9:15pm
8
The error message is : Failed to set variable: (0x2) Invalid Parameter in the blue screen to enroll the key.
verga
December 8, 2025, 9:22pm
9
In fact it seems that there is not a nvidia-driver-G06-kmp-default for the new kernel in the NVIDIA repository:
zypper se -s nvidia-driver-G06-kmp
Loading repository data...
Reading installed packages...
S | Name | Type | Version | Arch | Repository
---+--------------------------------+---------+----------------------------+--------+--------------
i+ | nvidia-driver-G06-kmp-default | package | 580.105.08_k6.17.6_1-44.1 | x86_64 | repo-non-free
v | nvidia-driver-G06-kmp-default | package | 580.95.05_k6.17.0_2-41.3 | x86_64 | repo-non-free
v | nvidia-driver-G06-kmp-default | package | 580.95.05_k6.16.8_1-40.1 | x86_64 | repo-non-free
v | nvidia-driver-G06-kmp-default | package | 580.82.07_k6.16.3_1-39.1 | x86_64 | repo-non-free
v | nvidia-driver-G06-kmp-default | package | 580.76.05_k6.15.8_1-39.1 | x86_64 | repo-non-free
v | nvidia-driver-G06-kmp-default | package | 570.172.08_k6.15.6_1-37.1 | x86_64 | repo-non-free
v | nvidia-driver-G06-kmp-default |
hui
December 8, 2025, 9:29pm
10
The closed source kmp (580.105.08_k6.17.6_1-44.1) works fine with the latest kernel 6.18. So this is not the reason for your issue. Running the same kmp with the latest kernel on all boxes without issues here. But i don’t use secure boot.
Maybe someone else who uses secure boot might chime in @malcolmlewis
There are several search results for Failed to set variable: (0x2) Invalid Parameter. But not sure which of the results will help you further.
The other systems I have using the rpm’s are on Leap 16.0. Tumbleweed I use the run file(s) so I’m using 590.44.01 with CUDA 13.1 and no secure boot either…
Normally a force should rebuild and sign the kmp, which I see on Leap. Sound more like a system firmware issue…
@verga Have you run fwupdmgr get-updates recently?
verga
December 8, 2025, 10:26pm
12
No, not recently; perhaps three weeks ago.
I reinstalled the kernel and verified the the MOK*.der file was correctly generated. However, the error persisted.
I was wondering if the solution would be to delete some keys. Curiously, the list of enrolled keys stops at driver 550:
mokutil --list-enrolled | grep nvidia
.....
Issuer: CN=Local build for nvidia-driver-G06 550.127.05 on 2024-11-17
Issuer: CN=Local build for nvidia-driver-G06 550.135 on 2024-11-28
Issuer: CN=Local build for nvidia-driver-G06 550.135 on 2024-12-22
Issuer: CN=Local build for nvidia-driver-G06 550.135 on 2025-01-12
I tried sudo mokutil --delete MOK-nvidia-driver-G06-550.144.03-30.2-default.der (for example) but it gives Failed to get file status. Is there a way to clean the keys using mokutil?
It has nothing to do with kernel.
The possible reasons for this error as listed in UEFI specifications:
An invalid combination of attribute bits, name, and GUID was supplied, or
Now, the combination is always the same, which leaves variable size as the possible cause. Your
verga:
.....
suggests that there are many certificates which supports this hypothesis.
Those variables are boot time only, so to check the existing value one would need to boot EfiShell. But at the end, only the vendor of your firmware can give the definitive answer what goes wrong. Still, the output of
df -h /sys/firmware/efi/efivars
ls -sh /sys/firmware/efi/efivars
may shed some light.
You can try deleting no more needed certificates. If my guess is correct and it is about size, it should work.
verga
December 9, 2025, 6:01pm
15
@arvidjaar Yes, it seems to be related with the size of the key database:
~ 18:42 $ df -h /sys/firmware/efi/efivars
Filesystem Size Used Avail Use% Mounted on
efivarfs 438K 342K 92K 79% /sys/firmware/efi/efivars
ls -tl /sys/firmware/efi/efivars` list 320 files, all created today (I reboot my computer); there are about 30 MOK files
@malcolmlewis Is it safe to delete MOK-0001.der (created by mokutil --export)? It contains opensuse keys and other stuff not related to the nvidia drivers.
For the moment I rolled back to my last configuration (kernel 17.9).
@verga If MOK-0001.der was manually created, then yes…
verga
December 10, 2025, 7:59am
17
@malcolmlewis Thank-you. I deleted MOK key
1> mokutil --export
2> sudo mokutil --delete MOK-0001.der
3> reboot
4> delete MOK
5> reboot
6> sudo mokutil --import /usr/share/nvidia-pubkeys/MOK-nvidia-driver-G06-580.105.08-44.1-default.der --root-pw
7> reboot
8> enroll key: Failed with the same code (2x0) Invalid parameter
The contents of MOK-0001.der is
openssl x509 -in MOK-0001.der -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project, emailAddress=build@opensuse.org
Validity
Not Before: Aug 26 16:12:07 2013 GMT
Not After : Jul 22 16:12:07 2035 GMT
Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project, emailAddress=build@opensuse.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:df:61:92:7a:a4:fe:83:d1:7d:3b:68:0e:b1:
.....
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
X509v3 Authority Key Identifier:
keyid:68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
serial:01
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
8a:a3:89:c2:8e:d9:f9:82:0b:f3:33:ce:e9:19:17:17:a3:65:
.....
which corresponds to (0x2) “version 3”.
Any suggestions?
Post:
mokutil --list-enrolled | grep -iB10 issue
If these are to much, use susepaste:
mokutil --list-enrolled | grep -iB10 issue | susepaste -e 131040
That will delete the paste on the pasteserver after 3 month.
verga
December 10, 2025, 2:22pm
19
Thank you and malcom and arvidjaar for your help: this forum is really usful!
The solution finally was to reset all keys to their factory values using UEFI/bios interface (I am on a Dell precision).
nvidia-smi
Wed Dec 10 15:11:00 2025
+-----------------------------------------------------------------------------------------+
| NVIDIA-SMI 580.105.08 Driver Version: 580.105.08 CUDA Version: 13.0 |
+-----------------------------------------+------------------------+----------------------+
| GPU Name Persistence-M | Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap | Memory-Usage | GPU-Util Compute M. |
| | | MIG M. |
|=========================================+========================+======================|
| 0 NVIDIA RTX 1000 Ada Gene... On | 00000000:01:00.0 Off | N/A |
| N/A 44C P3 590W / 74W | 2MiB / 6141MiB | 11% Default |
| | | N/A |
+-----------------------------------------+------------------------+----------------------+
+-----------------------------------------------------------------------------------------+
| Processes: |
| GPU GI CI PID Type Process name GPU Memory |
| ID ID Usage |
|=========================================================================================|
| No running processes found |
+-----------------------------------------------------------------------------------------+
running the last kernel 6.18.
@verga then I would suggest running fwupdmgr get-upgrades and also check fwupdmgr security output.