Nvidia MOK keys not installing

English Install/Boot/Login
,
1

I’m trying to install Nvidia drivers but am running into a problem. I have Secure Boot enabled and according to the documentation here:

https://en.opensuse.org/SDB:NVIDIA_drivers#CUDA

the install process should create MOK keys which I will then be prompted to approve on boot.

I installed using:

zypper in nvidia-open-driver-G06-signed-cuda-kmp-default

but the MOK keys were not created. At least, I can’t find them anywhere on my system nor am I prompted about them when booting.

Disabling Secure Boot does work but I’d rather not have to do that.

Am I missing something or is the install process not working as intended?

These are the related packages I have:

S  | Name                                           | Type    | Version                  | Arch   | Repository
---+------------------------------------------------+---------+--------------------------+--------+--------------
i+ | cuda-cloud-opengpu                             | package | 580.105.08-44.1          | x86_64 | repo-non-free
i  | cuda-cudart-12-8                               | package | 12.8.90-1                | x86_64 | cuda
i  | cuda-demo-suite-12-9                           | package | 12.9.79-1                | x86_64 | cuda
i  | cuda-libraries-12-8                            | package | 12.8.1-1                 | x86_64 | cuda
i  | cuda-nvrtc-12-8                                | package | 12.8.93-1                | x86_64 | cuda
i  | cuda-opencl-12-8                               | package | 12.8.90-1                | x86_64 | cuda
i  | cuda-toolkit-12-8-config-common                | package | 12.8.90-1                | noarch | cuda
i  | cuda-toolkit-12-config-common                  | package | 12.9.79-1                | noarch | cuda
i  | cuda-toolkit-config-common                     | package | 13.1.80-1                | noarch | cuda
i  | libnvidia-egl-gbm1                             | package | 1.1.2.1-150700.12.1      | x86_64 | cuda
i  | libnvidia-egl-wayland1                         | package | 1.1.21-150700.1.1        | x86_64 | cuda
i  | libnvidia-egl-x111                             | package | 1.0.5-22.1               | x86_64 | repo-non-free
i  | libnvidia-gpucomp                              | package | 580.105.08-44.1          | x86_64 | repo-non-free
i  | nvidia-common-G06                              | package | 580.105.08-44.1          | x86_64 | repo-non-free
i  | nvidia-compute-G06                             | package | 580.105.08-44.1          | x86_64 | repo-non-free
i  | nvidia-compute-utils-G06                       | package | 580.105.08-44.1          | x86_64 | repo-non-free
i  | nvidia-gl-G06                                  | package | 580.105.08-44.1          | x86_64 | repo-non-free
i  | nvidia-modprobe                                | package | 580.105.08-20.1          | x86_64 | repo-non-free
i+ | nvidia-open-driver-G06-signed-cuda-kmp-default | package | 580.105.08_k6.18.5_1-1.5 | x86_64 | repo-oss
i  | nvidia-persistenced                            | package | 580.105.08-2.1           | x86_64 | repo-non-free
i  | nvidia-userspace-meta-G06                      | package | 580.105.08-24.1          | x86_64 | repo-non-free
i  | nvidia-video-G06                               | package | 580.105.08-44.1          | x86_64 | repo-non-free
i+ | openSUSE-repos-Tumbleweed-NVIDIA               | package | 20250728.9adc675-1.1     | x86_64 | repo-oss
2

The open driver is signed with the openSUSE key (it is installed from repo-oss) so there is no new key to enroll AFAIK.

And, BTW, welcome to the openSUSE Forums!

3

Thank you for the warm welcome :slight_smile:

If that’s the case do you happen to know where I find the key to add it with mokutil or something? I can only get the driver working if I disable Secure Boot.

4

Post:

mokutil --list-enrolled | grep -iB8 issuer
5

Here’s the output:

mokutil --list-enrolled | grep -iB8 issuer
[key 1]
Owner: 605dab50-e046-4300-abb6-3dd810dd8b23
SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
6

Only one key?

Post also:

ls -al /etc/uefi/certs/

and

mokutil --list-new
7

Thanks for your help.

The outputs:

ls -al /etc/uefi/certs/

total 8
drwxr-xr-x. 1 root root   76 Jan 18 10:01 ./
drwxr-xr-x. 1 root root   10 Jan 18 10:01 ../
-rw-r--r--. 1 root root 1144 Dec  1 11:14 4659838C-shim-opensuse.crt
-rw-r--r--. 1 root root 1177 Jan 18 10:01 F8CEAA94.crt

mokutil --list-new
(no output)
8

Post:

rpm -qf /etc/uefi/certs/F8CEAA94.crt
9 
rpm -qf /etc/uefi/certs/F8CEAA94.crt
kernel-default-6.18.5-1.1.x86_64
kernel-default-6.18.6-1.1.x86_64
10

Install:
zypper in openSUSE-signkey-cert

Reboot and add it to mok.

Install the Nvidia once more:

zypper in nvidia-open-driver-G06-signed-cuda-kmp-default

And reboot.

11

Thanks, so I was prompted to add the MOK for OpenSuse but reinstalling:

sudo zypper in -f nvidia-open-driver-G06-signed-cuda-kmp-default

did not trigger another prompt on the following reboot. Nor does the /usr/share/nvidia-pubkeys directory exist which is what’s described in the documentation.

I double-checked and secure boot is indeed enabled which seems to be a prerequisite for the key to be added, according to the docs. I don’t see any .der files except the OpenSuse shim one:

fd -e der
usr/share/efi/x86_64/shim-opensuse.der

If it helps:

ls -al /etc/uefi/certs/
total 12
drwxr-xr-x. 1 root root  108 Jan 25 16:27 ./
drwxr-xr-x. 1 root root   10 May  4  2021 ../
-rw-r--r--. 1 root root 1177 May  4  2021 1F673297-kmp.crt
-rw-r--r--. 1 root root 1144 Dec  1 11:14 4659838C-shim-opensuse.crt
-rw-r--r--. 1 root root 1177 Jan 18 10:01 F8CEAA94.crt

mokutil --list-new
(no output)
12

Is for using the Nvidia Repo.
You do not use the Nvidia Repo for the kmp.

Post:

inxi -GA
13

Oh I see, ok.

Here’s the output:

inxi -GA
Graphics:
  Device-1: NVIDIA AD106 [GeForce RTX 4060 Ti 16GB] driver: N/A
  Device-2: Advanced Micro Devices [AMD/ATI] Strix [Radeon 880M / 890M]
    driver: amdgpu v: kernel
  Display: wayland server: Xwayland v: 24.1.9 compositor: niri driver:
    gpu: amdgpu resolution: 1: 1920x1080~60Hz 2: 1920x1200~60Hz
  API: OpenGL v: 4.6 vendor: amd mesa v: 25.3.3 renderer: AMD Radeon 890M
    Graphics (radeonsi gfx1150 LLVM 21.1.8 DRM 3.64 6.18.6-1-default)
  API: EGL Message: EGL data requires eglinfo. Check --recommends.
  Info: Tools: api: glxinfo gpu: nvidia-smi wl: wlr-randr x11: xprop,xrandr
Audio:
  Device-1: NVIDIA AD106M High Definition Audio driver: snd_hda_intel
  Device-2: Advanced Micro Devices [AMD/ATI] Radeon High Definition Audio
    [Rembrandt/Strix] driver: snd_hda_intel
  Device-3: Advanced Micro Devices [AMD] Audio Coprocessor
    driver: snd_acp_pci
  Device-4: Advanced Micro Devices [AMD] Family 17h/19h/1ah HD Audio
    driver: snd_hda_intel
  Device-5: IK Multimedia iRig PRO I/O driver: snd-usb-audio type: USB
  API: ALSA v: k6.18.6-1-default status: kernel-api
  Server-1: PipeWire v: 1.5.85 status: active
14

This is not mine…

15

I’m sorry I don’t understand?

16

2 Graphics are not my theme…

I can not help further.

17

Ok I understand, thank you for your help all the same. You at least helped me figure out part of the issue.

18

This doesn’t look like a MOK issue. On hybrid systems the AMD iGPU drives the display, and the NVIDIA GPU is often powered down by default.

Try invoking
__NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia glxinfo | grep vendor or __NV_PRIME_RENDER_OFFLOAD=1 nvidia-smi
to test offload. If that wakes the NVIDIA GPU up and shows output, then the driver is installed and working as expected.

19

AFAIU, this isn’t essential for a working desktop, but if you want the nvidia module to load at boot, add nvidia-drm.modeset=1 to your GRUB kernel parameters, rebuild the initramfs with
sudo dracut -f
and then reboot.

20

Bizarre, I had this whole message written up because I had it configured as you describe but it only worked when secure boot was disabled. So I reenabled secure boot and it didn’t even work anymore there. I uninstalled and reinstalled all the nvidia packages and it seems to be ok now even with secure boot enabled. Thanks for your help!

1 Like