Nvidia on Ubuntu/Kernel modules: Difference between revisions

Latest revision as of 15:35, 2 July 2025

I came across an issue reported to the Linux Surface project (run Linux on the Microsoft Surface tablet) titled DKMS kernel modules give "Key was rejected by service" on Ubuntu 22.04 with 5.19.2 - which is exactly the same problem I'm witnessing with my DKMS modules on Ubuntu 24.

sudo modprobe nvidia
modprobe: ERROR: could not insert 'nvidia': Key was rejected by service

There is a lot of great detective work in the comments on that issue to help diagnose and debug the issue I'm having.

I modified /etc/dkms/framework.conf to specify the "existing" certs that were generated by DKMS on Ubuntu:

# mok_signing_key=/var/lib/dkms/mok.key
mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"
# mok_certificate=/var/lib/dkms/mok.pub
mok_certificate="/var/lib/shim-signed/mok/MOK.der"

Then I issued an

sudo update-secureboot-policy --enroll-key

Which brings up the NCurses? dialog box to supply a password for the mokutil system

I gave it a (Secure Boot) password (stored in my Password safe.)

And rebooted

But video still didn't work.

But then I noticed that I inadvertently supplied the incorrect configuration by specifying MOK.der as the key (duplicating the key config). So checking for validity of the key, it seems the key got messed up so I need to ~~regenerate it or~~ delete it so the system generates a new one.

The Canonical key is enrolled.

mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0

mokutil --test-key /var/lib/shim-signed/mok/MOK.der
Not a valid x509 certificate

So, I deleted the bad public cert

rm /var/lib/shim-signed/mok/MOK.der

And deleted all the previous generated modules

rm -rf /var/lib/dkms/nvidia/

And purged all installed nvidia driver

apt-get remove -y --purge '^libnvidia-.*' && apt-get remove -y --purge '^nvidia-*' && apt-get remove -y --purge '*575*' && apt -y autoremove

And then rebooted (should regenerate MOK.der)

The system somehow loaded the Nouveau driver - meaning video works great. It's just strange that it does when the module is denylisted in grub:

grep nouveau /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="nouveau.blacklist=1 quiet splash"

The nouveau kernel module is definitely in use:

lsmod |grep nouveau nouveau 3096576 43 drm_gpuvm 45056 2 xe,nouveau drm_exec 12288 3 drm_gpuvm,xe,nouveau gpu_sched 61440 2 xe,nouveau drm_ttm_helper 12288 2 xe,nouveau ttm 110592 4 drm_ttm_helper,xe,i915,nouveau drm_display_helper 237568 3 xe,i915,nouveau mxm_wmi 12288 1 nouveau i2c_algo_bit 16384 3 xe,i915,nouveau video 77824 3 xe,i915,nouveau wmi 28672 4 video,wmi_bmof,mxm_wmi,nouveau

But, when I tried to install nvidia again, package management wouldn't even work because module signing was broken.

I ended up deleting both the .der cert and .priv key files; and I witnessed the DKMS system re-creating new files during apt install nvidia-driver-575-open

Here is the relevant output from the script^[1] log

Building initial module nvidia/575.57.08 for 6.8.0-60-generic^M
Sign command: /usr/bin/kmodsign^M
Signing key: /var/lib/shim-signed/mok/MOK.priv^M
Public certificate (MOK): /var/lib/shim-signed/mok/MOK.der^M
Certificate or key are missing, generating self signed certificate for MOK...

References[edit]

↑ https://man7.org/linux/man-pages/man1/script.1.html

[1] ttps://man7.org/linux/man-pages/man1/script.1.html

[1]

@@ Line 1: / Line 1: @@
-I came across an issue on a https://github.com/linux-surface/linux-surface/issues/906
+I came across an issue reported to the Linux Surface project (run Linux on the Microsoft Surface tablet) titled [https://github.com/linux-surface/linux-surface/issues/906 DKMS kernel modules give "Key was rejected by service" on Ubuntu 22.04 with 5.19.2] - which is exactly the same problem I'm witnessing with my DKMS modules on Ubuntu 24.
-I modified /etc/dkms/framework.conf to specify the "existing" certs that were generated by DKMS on Ubuntu:<pre>
+<pre>
+sudo modprobe nvidia
+modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
+</pre>
+There is a lot of great detective work in the comments on that issue to help diagnose and debug the issue I'm having.
+I modified /etc/dkms/framework.conf to specify the "existing" certs that were generated by DKMS on Ubuntu:
+<pre>
 # mok_signing_key=/var/lib/dkms/mok.key
 mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"
 # mok_certificate=/var/lib/dkms/mok.pub
-mok_signing_key="/var/lib/shim-signed/mok/MOK.der"
+mok_certificate="/var/lib/shim-signed/mok/MOK.der"
-</pre>Then I issued an <pre>
+</pre>
+Then I issued an
+<pre>
 sudo update-secureboot-policy --enroll-key
-</pre>gave it a password
+</pre>
+Which brings up the NCurses? dialog box to supply a password for the <code>mokutil</code> system
+I gave it a (Secure Boot) password (stored in my Password safe.)
+And rebooted
+But video still didn't work.
+But then I noticed that I inadvertently supplied the incorrect configuration by specifying MOK.der as the key (duplicating the key config). So checking for validity of the key, it seems the key got messed up so I need to <strike>regenerate it or</strike> delete it so the system generates a new one.
+The Canonical key is enrolled.
+<pre>
+mokutil --list-enrolled
+[key 1]
+SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
+</pre>
+<pre>
+mokutil --test-key /var/lib/shim-signed/mok/MOK.der
+Not a valid x509 certificate
+</pre>
+So, I deleted the bad public cert
+ rm /var/lib/shim-signed/mok/MOK.der
+And deleted all the previous generated modules
+ rm -rf /var/lib/dkms/nvidia/
+And purged all installed nvidia driver
+ apt-get remove -y --purge '^libnvidia-.*' && apt-get remove -y --purge '^nvidia-*' && apt-get remove -y --purge '*575*' && apt -y autoremove
+And then rebooted (should regenerate MOK.der)
+The system somehow loaded the Nouveau driver - meaning video works great. It's just strange that it does when the module is denylisted in grub:<pre>
+grep nouveau /etc/default/grub
+GRUB_CMDLINE_LINUX_DEFAULT="nouveau.blacklist=1 quiet splash"
+</pre>The nouveau kernel module is definitely in use:<pre>
+lsmod |grep nouveau
+nouveau              3096576  43
+drm_gpuvm              45056  2 xe,nouveau
+drm_exec               12288  3 drm_gpuvm,xe,nouveau
+gpu_sched              61440  2 xe,nouveau
+drm_ttm_helper         12288  2 xe,nouveau
+ttm                   110592  4 drm_ttm_helper,xe,i915,nouveau
+drm_display_helper    237568  3 xe,i915,nouveau
+mxm_wmi                12288  1 nouveau
+i2c_algo_bit           16384  3 xe,i915,nouveau
+video                  77824  3 xe,i915,nouveau
+wmi                    28672  4 video,wmi_bmof,mxm_wmi,nouveau
+</pre>
+But, when I tried to install nvidia again, package management wouldn't even work because module signing was broken.
+I ended up deleting both the .der cert and .priv key files; and I witnessed the DKMS system re-creating new files during <code>apt install nvidia-driver-575-open</code>
+Here is the relevant output from the <code>script</code><ref>https://man7.org/linux/man-pages/man1/script.1.html</ref> log
+<syntaxhighlight lang="console">
+Building initial module nvidia/575.57.08 for 6.8.0-60-generic^M
+Sign command: /usr/bin/kmodsign^M
+Signing key: /var/lib/shim-signed/mok/MOK.priv^M
+Public certificate (MOK): /var/lib/shim-signed/mok/MOK.der^M
+Certificate or key are missing, generating self signed certificate for MOK...
+</syntaxhighlight>
-and rebooted
+{{References}}
+[[Category:Linux]]
+[[Category:Kernel]]
+[[Category:Video]]