Problems enrolling nvidia driver when /sys/firmware/efi/efivars is full

paslotte · October 3, 2025, 1:21pm

Lately I have been unable to update the nvidia driver, or more specifically; the kernel module will not register with MOK and it is impossible to enroll it. The result is of course no graphics. The “sudo snapper rollback” has been a life saver, but I am stuck with an “old” system.
The main suspect for the root of the problem is that /sys/firmware/efi/efivars is full. It seems to be filling up for each update of the nvidia driver.

tmp:bash$ df | grep efivars
efivarfs                             192        187            1  100% /sys/firmware/efi/efivars

I have 159 entries in this directory

tmp:bash$ ls -l /sys/firmware/efi/efivars | wc
    159    1424   14877

and 33 of these are of the type MokListRT*

mp:bash$ ls -al /sys/firmware/efi/efivars/MokListRT* | wc
     33     297    3883

31 of these are related to the nvidia driver. There seem to be an entry for every driver ever installed.

tmp:bash$ hexdump -C  /sys/firmware/efi/efivars/MokListRT2-605dab50-e046-4300-abb6-3dd810dd8b23 
00000000  06 00 00 00 a1 59 c0 a5  e4 94 a7 4a 87 b5 ab 15  |.....Y.....J....|
    .
    .
000000d0  03 55 04 03 0c 3a 4c 6f  63 61 6c 20 62 75 69 6c  |.U...:Local buil|
000000e0  64 20 66 6f 72 20 6e 76  69 64 69 61 2d 64 72 69  |d for nvidia-dri|
000000f0  76 65 72 2d 47 30 36 20  35 35 30 2e 31 30 37 2e  |ver-G06 550.107.|
00000100  30 32 20 6f 6e 20 32 30  32 34 2d 30 39 2d 31 38  |02 on 2024-09-18|
    .
    .

All of these are also enrolled:

tmp:bash$ mokutil --list-enrolled > enrolled.txt
tmp:bash$ cat enrolled.txt | grep nvidia | grep Subject
        Subject: CN=Local build for nvidia-driver-G06 550.107.02 on 2024-09-18
        Subject: CN=Local build for nvidia-driver-G06 550.107.02 on 2024-09-22
        Subject: CN=Local build for nvidia-driver-G06 550.107.02 on 2024-09-28
   .
   -
   .

When I try to unregister I get:

tmp:bash$ sudo mokutil --root-pw --delete  /usr/share/nvidia-pubkeys/MOK-nvidia-driver-G06-550.107.02-26.1-default.der 
[sudo] passord for root: 
Failed to delete keys

And removing the files does also not work (files and directory is read/write)

tmp:bash$ sudo chattr -i  /sys/firmware/efi/efivars/MokListRT2-605dab50-e046-4300-abb6-3dd810dd8b23
tmp:bash$ lsattr  /sys/firmware/efi/efivars/MokListRT2-605dab50-e046-4300-abb6-3dd810dd8b23
---------------------- /sys/firmware/efi/efivars/MokListRT2-605dab50-e046-4300-abb6-3dd810dd8b23

tmp:bash$ sudo rm /sys/firmware/efi/efivars/MokListRT2-605dab50-e046-4300-abb6-3dd810dd8b23
rm: klarte ikke å fjerne '/sys/firmware/efi/efivars/MokListRT2-605dab50-e046-4300-abb6-3dd810dd8b23': Ugyldig argument

Does anyone have any idea about what goes wrong?
Suggestions on how to remove the unwanted, and unused stuff, in efivars, either from the linux command line or in BIOS are highly welcome,

hui · October 3, 2025, 1:27pm

Did you try to remove the entries without specifying the full path? See
https://docs.oracle.com/en/engineered-systems/exadata-database-machine/dbmsq/removing-keys-using-mokutil.html

(as real root)
# mokutil --root-pw --delete MOK-nvidia-driver-G06-550.107.02-26.1-default.der

paslotte · October 3, 2025, 1:28pm

As you can see above, there is a full path. Am I missing something?

I have now also tried

nvidia-pubkeys:bash$ sudo mokutil --root-pw --delete MOK-nvidia-driver-G06-550.107.02-26.1-default.der
[sudo] passord for root: 
Failed to delete keys

Also as real root without sudo

nvidia-pubkeys:bash$ su
Passord: 
localhost:/usr/share/nvidia-pubkeys # mokutil --root-pw --delete MOK-nvidia-driver-G06-550.107.02-26.1-default.der
Failed to delete keys

hui · October 3, 2025, 1:31pm

…deleted due to edited comment above…

arvidjaar · October 3, 2025, 1:35pm

Please always set locale to English when running commands that you want to post.

Removing EFI variable may need some additional space. Try immediately after full poweroff (if possible, also remove battery). It may trigger some reorganization of EFI NVRAM.

All these commands (including mokutil --disable-validation) create request to the MokManager. If they cannot create EFI variable, all these requests will fail.

paslotte · October 3, 2025, 1:47pm

Power off does not seem to help.

arvidjaar · October 3, 2025, 1:49pm

Try after having disabled Secure Boot.

Sauerland · October 3, 2025, 5:25pm

Export the keys to your /home and delete them with:
as root executed in your users /home/
mokutil --export
Befor delteting you can look inside the keyX.der with kate or similar, to get the right key.
mokutil --delete /home/XXXXX/keyX.der

reboot.

arvidjaar · October 3, 2025, 5:36pm

What did not you understand in “mokutil needs to create EFI variable to do it”?

Sauerland · October 3, 2025, 5:42pm

I have not read complete.

paslotte · October 4, 2025, 8:12am

Strangely

mokutil  --export

only exports a single key, out of the 33 that are enrolled as reported by

mokutil --list-enrolled

Sauerland · October 4, 2025, 8:51am

Can you remove some of them when you go straight to your UEFI/Bios?
And remove them there?

paslotte · October 4, 2025, 10:22am

Actually I tried that, but I cannot find the corresponding variables there. If I remember correctly the only variables I found there was connected to Microsoft and Canonical.
I have an ASUS motherboard:
TUF gaming B760-PLUS WIFI

arvidjaar · October 4, 2025, 11:11am

It is rather difficult to help you when the only thing we get is your conclusions based on something you did and observed but that we do not see.

paslotte · October 4, 2025, 12:25pm

Could a BIOS update be a solution?
I guess this would erase/clean everything related to efivars.
I am very nervous about messing with the system at this low level:
Is there a chance of bricking the machine, and what are the steps I would need to take to get the secure boot linux system with nvidia drivers to work again after cleaning everything?

hui · October 4, 2025, 12:31pm

Did you already have a look in your BIOS? Gaming boards like yours should have a good BIOS menu where you can perform extensive and detailed key management.

paslotte · October 4, 2025, 12:40pm

I will try to dig some more into the BIOS menu and read the BIOS manual, and see if I cand find anything.
As mentioned earlier I already tried to find the nvidia related keys for deletion there with no luck.
But there may be other options such as saving all keys to an USB stick, reemoving all keys, followed by adding the needed keys from the USB stick
I will come back with info when I have tried this.

paslotte · October 5, 2025, 3:32pm

I wish to thank everyone that has contributed to this discussion. An active community is definitely an asset.
None of the proposed fixes lead to a solution, however I finally tried adding

no_storage_paranoia

to the kernel command line (using yast). This apperantly increases the maximum size of efivars, and that did the trick.
After booting with this parameter I was able to remove keys with

mokutil --export

followed by

mokutil --delete  keyX.der

as proposed by @Sauerland

After freeing some space in this manner I was able to bo a system update and adding the MOK key for the updated nvidia driver.