I came across an issue reported to the Linux Surface project (run Linux on the Microsoft Surface tablet) titled DKMS kernel modules give "Key was rejected by service" on Ubuntu 22.04 with 5.19.2 - which is exactly the same problem I'm witnessing with my DKMS modules on Ubuntu 24.
sudo modprobe nvidia modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
There is a lot of great detective work in the comments on that issue to help diagnose and debug the issue I'm having.
I modified /etc/dkms/framework.conf to specify the "existing" certs that were generated by DKMS on Ubuntu:
# mok_signing_key=/var/lib/dkms/mok.key mok_signing_key="/var/lib/shim-signed/mok/MOK.priv" # mok_certificate=/var/lib/dkms/mok.pub mok_certificate="/var/lib/shim-signed/mok/MOK.der"
Then I issued an
sudo update-secureboot-policy --enroll-key
Which brings up the NCurses? dialog box to supply a password for the mokutil system
I gave it a (Secure Boot) password (stored in my Password safe.)
And rebooted
But video still didn't work.
But then I noticed that I inadvertently supplied the incorrect configuration by specifying MOK.der as the key (duplicating the key config). So checking for validity of the key, it seems the key got messed up so I need to regenerate it or delete it so the system generates a new one.
The Canonical key is enrolled.
mokutil --list-enrolled [key 1] SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
mokutil --test-key /var/lib/shim-signed/mok/MOK.der Not a valid x509 certificate
So, I deleted the bad public cert
rm /var/lib/shim-signed/mok/MOK.der
And deleted all the previous generated modules
rm -rf /var/lib/dkms/nvidia/
And purged all installed nvidia driver
apt-get remove -y --purge '^libnvidia-.*' && apt-get remove -y --purge '^nvidia-*' && apt-get remove -y --purge '*575*' && apt -y autoremove
And then rebooted (should regenerate MOK.der)
The system somehow loaded the Nouveau driver - meaning video works great. It's just strange that it does when the module is denylisted in grub:
grep nouveau /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT="nouveau.blacklist=1 quiet splash"
The nouveau kernel module is definitely in use:
lsmod |grep nouveau nouveau 3096576 43 drm_gpuvm 45056 2 xe,nouveau drm_exec 12288 3 drm_gpuvm,xe,nouveau gpu_sched 61440 2 xe,nouveau drm_ttm_helper 12288 2 xe,nouveau ttm 110592 4 drm_ttm_helper,xe,i915,nouveau drm_display_helper 237568 3 xe,i915,nouveau mxm_wmi 12288 1 nouveau i2c_algo_bit 16384 3 xe,i915,nouveau video 77824 3 xe,i915,nouveau wmi 28672 4 video,wmi_bmof,mxm_wmi,nouveau
But, when I tried to install nvidia again, package management wouldn't even work because module signing was broken.
I ended up deleting both the .der cert and .priv key files; and I witnessed the DKMS system re-creating new files during apt install nvidia-driver-575-open
Here is the relevant output from the script[1] log
Building initial module nvidia/575.57.08 for 6.8.0-60-generic^M
Sign command: /usr/bin/kmodsign^M
Signing key: /var/lib/shim-signed/mok/MOK.priv^M
Public certificate (MOK): /var/lib/shim-signed/mok/MOK.der^M
Certificate or key are missing, generating self signed certificate for MOK...
