Skip to content

Dimokat/nvidia-secureboot-signing

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
setup-nvidia-signing.sh
setup-nvidia-signing.sh
 
 

Repository files navigation

NVIDIA Kernel Module Signing for Secure Boot (Linux)

This repository contains a setup script that automates signing NVIDIA kernel modules for Secure Boot. It generates Machine Owner Keys (MOK), installs a signing service, and enables it at boot to automatically resign modules after updates.

🚀 Features

  • 📦 Automatically generates and stores signing keys
  • 🔐 Signs all critical NVIDIA modules: nvidia, nvidia_drm, nvidia_modeset, nvidia_uvm
  • 🖥️ Creates and enables a systemd service to ensure modules are re-signed on boot
  • 📑 Includes logging via journalctl
  • ✅ Secure Boot compatible

📋 Requirements

  • Secure Boot enabled system
  • mokutil, openssl, modinfo, and systemd
  • NVIDIA proprietary drivers already installed

⚙️ Installation

  1. Clone the repository:

    git clone https://github.com/Dimokat/nvidia-secureboot-signing.git
cd nvidia-secureboot-signing

  2. Make the script executable and run it:

    chmod +x setup-nvidia-signing.sh
sudo ./setup-nvidia-signing.sh

  3. Enroll the MOK key (you'll be prompted to set a password):

    sudo mokutil --import /var/lib/nvidia-signing/MOK.der

  4. Reboot your system. During boot, follow the on-screen instructions to enroll the key (you’ll need the password you set).

🧪 Verify

After reboot, check if the modules were signed:

dmesg | grep -i nvidia
sudo journalctl -u nvidia-signing.service

You should see success messages and no signature verification errors.

🔄 What Happens on Boot?

The nvidia-signing.service:

  • Detects installed NVIDIA modules
  • Uses the sign-file script from your kernel sources
  • Signs each module with the MOK private key
  • Outputs status to journalctl -u nvidia-signing.service

📂 Files Installed

File Purpose
/usr/local/bin/nvidia-sign.sh Signing logic
/etc/systemd/system/nvidia-signing.service Systemd service to run at boot
/var/lib/nvidia-signing/ Stores the private key and certificate

🧹 Uninstallation (Manual)

  1. Disable the service:

    sudo systemctl disable nvidia-signing.service

  2. Remove installed files:

    sudo rm -f /usr/local/bin/nvidia-sign.sh
sudo rm -f /etc/systemd/system/nvidia-signing.service
sudo rm -rf /var/lib/nvidia-signing/

  3. Reload systemd:

    sudo systemctl daemon-reexec

📜 License

MIT

(P.S. Do whatever you want with it)

About

A simple bash script which creates signing service for nvidia drivers for those who have secure boot enabled

Topics

linux nvidia secure-boot nvidia-gpu dualboot nvidia-driver

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages