Return to

Nvidia/Fedora/Secure Boot dilemma

I recently bought a laptop with a Nvidia Optimus GPU. During the installation of the Fedora Nvidia driver, I made a hard-earned discovery: the RPMFusion Nvidia driver is not cryptographically signed. This means I kept getting tainted kernel warnings, along with the Intel GPU driver, until I disabled Secure Boot. While that may not seem consequential, it does render the Windows drive unbootable if I don’t have my Bitlocker Key handy. If I leave Secure Boot enabled and try to boot Fedora, I get a usable but unaccelerated desktop.

In contrast, other distros provide signed Nvidia drivers. So this presents me with a list of possible solutions and workarounds:

  1. Presumably the official proprietary driver is signed. I could install that, but the official Nvidia driver has its own drawbacks.
  2. Migrate to another distro. I do rather like Fedora, but some of my favorite desktops have proven unstable in version 33.
  3. Decrypt the Windows partition and leave it that way. Not a very attracive solution.
  4. Restrict gameplay to Windows only. This would leave a lot of unused space on my Fedora drive, and I like being able to stay in Linux most of the time.

Does anyone know of any other solutions? Which one makes the most sense to people? Am I overlooking anything?

I decided to install the official Nvidia drivers direct from Team Green, under the assumption that they were signed. Except they weren’t. I still had to disable Secure Boot to get accelerated graphics.

So I signed the Nvidia modules myself. I was surprised I could do this; I thought the modules had to be signed with a super-secret OEM certificate. But it turns out that just like a website, you can use a self-signed certificate. In general terms, I had to generate a cert/key pair with openssl, install the public key with mokutil and run the Nvidia installer with the public and private keys specified on the command line.

If anyone is actually interested I can probably reproduce the exact steps I used.

What remains to be seen is how things will play out when a kernel update hits the Fedora 33 repo. DKMS is installed, but I don’t know if it’s ‘smart’ enough to sign the modules it generates after an update. Fingers crossed…