7. RHEL / CentOS / Rocky Linux / Alma Linux Secure Boot: Howto sign NVIDIA kernel modules (DKMS + .run installer)

This page shows how to keep UEFI Secure Boot enabled and still use NVIDIA proprietary drivers installed using this guide (.run installer + DKMS).

NOTE: This Secure Boot guide is an initial version. If you have problems or something doesn’t work on your system, please drop a comment and tell me (include your distro version, kernel version and NVIDIA driver version).

Important: If you plan to keep Secure Boot enabled, do steps 7.1 – 7.4 before you run the NVIDIA installer. After the driver install, do 7.6 so DKMS rebuilt modules are signed automatically on kernel updates.

When Secure Boot is enabled, the Linux kernel will usually refuse to load unsigned third-party kernel modules. This means nvidia, nvidia_drm, nvidia_modeset, nvidia_uvm modules must be signed with a key trusted by your system firmware (MOK).

7.1 Check is Secure Boot enabled

mokutil --sb-state

If output is SecureBoot enabled, then you need to sign the NVIDIA kernel modules.

7.2 Install needed tools

## RHEL / CentOS / Rocky Linux / Alma Linux 10.1 / 9.7 / 8.10 ##
dnf install openssl mokutil kernel-devel

7.3 Create your own MOK key pair

NOTE: Keep the private key safe. Anyone who has your private key can sign kernel modules which may load on your system.

mkdir -p /root/module-signing
cd /root/module-signing

## Create key + certificate for module signing ##
openssl req -new -x509 -newkey rsa:2048 \
	-keyout MOK-nvidia.priv \
	-outform DER -out MOK-nvidia.der \
	-nodes -days 36500 \
	-subj "/CN=RHEL NVIDIA DKMS Module Signing/"

chmod 600 /root/module-signing/MOK-nvidia.priv

## NVIDIA installer module signing options ##
## You can use MOK-nvidia.priv directly as the secret key.
## Export certificate as PEM (.x509) for installer option.
openssl x509 -inform DER -in /root/module-signing/MOK-nvidia.der -out /root/module-signing/signing-nvidia.x509

7.4 Enroll the public key (MOK) to Secure Boot

mokutil --import /root/module-signing/MOK-nvidia.der
  • Set a one-time password
  • Reboot
  • On next boot you will see MOK Manager
  • Select Enroll MOKContinueYes and type the password you just created

After enrollment, boot normally and continue installation from Step 2 on the main guide

7.5 Sign NVIDIA modules (one-time manual method)

If you used the installer module signing options on step 2.10.2 and everything works, you can usually skip this step. This is useful right after you install NVIDIA drivers to verify (or fix) module signatures.

NOTE (important):

  • Make sure you are signing modules for the same kernel you will boot (check uname -r).
  • If DKMS rebuilds NVIDIA modules after you sign them, then the rebuilt modules are unsigned again. Create DKMS post-build hook on step 7.6.
  • If you use NVIDIA modules in initramfs (common for graphics), rebuild initramfs after signing.

Check is your MOK key enrolled:

mokutil --test-key /root/module-signing/MOK-nvidia.der
## OR ##
mokutil --list-enrolled |grep -i "RHEL NVIDIA DKMS Module Signing" || true
KERNELVER=$(uname -r)
SIGNFILE=/usr/src/kernels/${KERNELVER}/scripts/sign-file

## Sign the installed NVIDIA modules for current kernel ##
for m in nvidia nvidia_drm nvidia_modeset nvidia_uvm; do
	modpath=$(modinfo -F filename "$m")
	echo "Signing $m -> $modpath"
	${SIGNFILE} sha256 /root/module-signing/MOK-nvidia.priv /root/module-signing/MOK-nvidia.der "$modpath"
done

Verify signatures:

modinfo nvidia | egrep -i "signer|sig_key|sig_hash"

If signing succeeded, rebuild module dependencies and initramfs (recommended):

depmod -a
dracut -f

With DKMS, modules will be rebuilt on every kernel update. If you don’t automate signing, you may hit a black screen after an update because the NVIDIA modules fail to load.

Do this step after NVIDIA driver installation to make sure kernel updates keep working with Secure Boot enabled.

On RHEL/CentOS/Rocky/Alma, DKMS can sign modules automatically as part of dkms install. This is the preferred way (no custom hook scripts needed).

For NVIDIA modules only, use module-specific configuration (recommended):

mkdir -p /etc/dkms/nvidia
cat > /etc/dkms/nvidia.conf <<EOF
mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"
EOF

Alternatively, if you prefer to add to the global config file (/etc/dkms/framework.conf), make sure to add these variables:

mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"

You can add these to the config file with:

cat >> /etc/dkms/framework.conf <<EOF
mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"
EOF

7.6.1 Note about dkms status showing “Differences between built and installed modules”

If you see output like:

nvidia/<version>, <kernel>, x86_64: installed (Differences between built and installed modules)

This can be normal when:

  • the modules are signed (signing changes the file), and/or
  • the installed modules are compressed by the system (for example *.ko.xz under /lib/modules/<kernel>/...).

Don’t use dkms status alone to decide if Secure Boot signing works. Verify the actual module signature for the kernel you are going to boot.

Check which kernel will be used:

uname -r

Verify module exists and signature is present for a specific kernel:

KERNELVER="5.14.0-362.8.1.el9_3.x86_64"

modinfo -k "${KERNELVER}" nvidia | egrep -i "filename|signer|sig_key|sig_hash"
modinfo -k "${KERNELVER}" nvidia_drm | egrep -i "filename|signer|sig_key|sig_hash"

If the signer/sig_* fields are missing or modules won’t load, do a clean reinstall for that kernel:

KERNELVER="5.14.0-362.8.1.el9_3.x86_64"
VER="580.142"

## NOTE: do not use --all together with -k ##
dkms remove -m nvidia -v "${VER}" -k "${KERNELVER}" || true
dkms install -m nvidia -v "${VER}" -k "${KERNELVER}" --force

depmod -a "${KERNELVER}"
dracut -f "/boot/initramfs-${KERNELVER}.img" "${KERNELVER}"

7.6.2 DKMS may use its own signing key

On RHEL-based systems, DKMS can sign modules automatically using its own key pair (example paths):

  • Private key: /var/lib/dkms/mok.key
  • Public certificate: /var/lib/dkms/mok.pub

In this case modinfo may show:

  • signer: DKMS module signing key

If Secure Boot is enabled and the key is not enrolled to MOK, then loading modules fails with:

  • modprobe: ERROR: could not insert 'nvidia': Key was rejected by service

Fix option A (recommended): Enroll the DKMS public key

mokutil --import /var/lib/dkms/mok.pub
reboot

Then enroll it on next boot using MOK Manager (Enroll MOK).

Fix option B: Force DKMS to use your own MOK key for NVIDIA modules only (created in step 7.3)

If you want DKMS to sign NVIDIA modules using your own key/cert instead of /var/lib/dkms/mok.*, configure DKMS signing key paths.

For NVIDIA modules only (recommended), use module-specific config:

mkdir -p /etc/dkms/nvidia
cat > /etc/dkms/nvidia.conf <<EOF
mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"
EOF

Alternatively, add to global config file /etc/dkms/framework.conf:

mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"

7.7 Troubleshooting

  • NVIDIA modules won’t load: check journalctl -b -k |grep -i -E "nvidia|Lockdown|secure|mok|signature"
  • MOK Manager not shown after mokutil --import: confirm you are booting UEFI (not legacy BIOS) and Secure Boot is actually enabled.
  • Key rotation: if you want to regenerate keys later, enroll the new MOK-nvidia.der and re-sign modules.

Typical Secure Boot error looks like:

  • Lockdown: ... unsigned module loading is restricted
  • module verification failed: signature and/or required key missing

Check also NVIDIA’s own module signing documentation: