6. Debian 13 Secure Boot: Howto sign NVIDIA kernel modules (DKMS + .run installer)

This page shows how to keep UEFI Secure Boot enabled and still use NVIDIA proprietary drivers installed using this guide (.run installer + DKMS).

NOTE: This Secure Boot guide is an initial version. If you have problems or something doesn’t work on your system, please drop a comment (include your Debian version, kernel version and NVIDIA driver version).

Important: If you plan to keep Secure Boot enabled, do steps 6.1 – 6.4 before you run the NVIDIA installer. After the driver install, do 6.6 so DKMS rebuilt modules are signed automatically on kernel updates.

When Secure Boot is enabled, the Linux kernel will usually refuse to load unsigned third-party kernel modules. This means nvidia, nvidia_drm, nvidia_modeset, nvidia_uvm modules must be signed with a key trusted by your system firmware (MOK).

6.1 Check is Secure Boot enabled

mokutil --sb-state

If output is SecureBoot enabled, then you need to sign the NVIDIA kernel modules.

6.2 Install needed tools

6.2.1 Change root user

su -
## OR ##
sudo -i

6.2.2 Install needed tools

apt update
apt install openssl mokutil linux-headers-$(uname -r)

6.3 Create your own MOK key pair

NOTE: Keep the private key safe. Anyone who has your private key can sign kernel modules which may load on your system.

mkdir -p /root/module-signing
cd /root/module-signing

## Create key + certificate for module signing ##
openssl req -new -x509 -newkey rsa:2048 \
    -keyout MOK-nvidia.priv \
    -outform DER -out MOK-nvidia.der \
    -nodes -days 36500 \
    -subj "/CN=Debian NVIDIA DKMS Module Signing/"

chmod 600 /root/module-signing/MOK-nvidia.priv

## NVIDIA installer module signing options ##
## You can use MOK-nvidia.priv directly as the secret key.
## Export certificate as PEM (.x509) for installer option.
openssl x509 -inform DER -in /root/module-signing/MOK-nvidia.der -out /root/module-signing/signing-nvidia.x509

6.4 Enroll the public key (MOK) to Secure Boot

mokutil --import /root/module-signing/MOK-nvidia.der
  • Set a one-time password
  • Reboot
  • On next boot you should see MOK Manager
  • Select Enroll MOKContinueYes and type the password you just created

After enrollment, boot normally and continue installation from the main guide:

Debian 13 NVIDIA Drivers Install Guide

When you run the .run installer (main guide step 2.9.2), add module signing options:

./NVIDIA-Linux-*.run \
    --module-signing-secret-key=/root/module-signing/MOK-nvidia.priv \
    --module-signing-public-key=/root/module-signing/signing-nvidia.x509

With DKMS, modules will be rebuilt on every kernel update. If you don’t automate signing, you may hit a black screen after an update because the NVIDIA modules fail to load.

On Debian, DKMS can sign modules automatically as part of dkms install. This is the preferred way (no custom hook scripts needed).

For NVIDIA modules only, use module-specific configuration (recommended):

mkdir -p /etc/dkms/nvidia
cat > /etc/dkms/nvidia.conf <<EOF
mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"
EOF

Alternatively, if you prefer to add to the global config file (/etc/dkms/framework.conf or frameworks.conf), make sure to add these variables:

mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"

You can add these to the config file with:

cat >> /etc/dkms/framework.conf <<EOF
mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"
EOF

After this, DKMS signs NVIDIA kernel modules automatically on every rebuild.

If you still get Key was rejected by service, then the signing key/certificate is not enrolled. Enroll the key you actually use:

  • if you use your own key from step 6.3, enroll /root/module-signing/MOK-nvidia.der
  • if DKMS uses its own key, enroll /var/lib/dkms/mok.pub (see 6.6.2)

6.6.1 Note about dkms status showing “Differences between built and installed modules”

If you see output like:

nvidia/<version>, <kernel>, x86_64: installed (Differences between built and installed modules)

This can be normal when:

  • the modules are signed (signing changes the file), and/or
  • the installed modules are compressed by the system.

Don’t use dkms status alone to decide if Secure Boot signing works. Verify the actual module signature for the kernel you are going to boot.

Example:

KERNELVER="$(uname -r)"
modinfo -k "${KERNELVER}" nvidia | egrep -i "filename|signer|sig_key|sig_hash"

6.6.2 Debian note: DKMS may use its own signing key

Some systems have a DKMS-generated key pair (example paths):

  • Private key: /var/lib/dkms/mok.key
  • Public certificate: /var/lib/dkms/mok.pub

In this case modinfo may show:

  • signer: DKMS module signing key

If Secure Boot is enabled and the key is not enrolled to MOK, then loading modules fails with:

  • modprobe: ERROR: could not insert 'nvidia': Key was rejected by service

Fix option A (recommended): Enroll the DKMS public key (if it exists)

ls -l /var/lib/dkms/mok.pub
mokutil --import /var/lib/dkms/mok.pub
reboot

Then enroll it on next boot using MOK Manager (Enroll MOK).

Fix option B: Force DKMS to use your own MOK key for NVIDIA modules only (created in step 6.3)

If you want DKMS to sign NVIDIA modules using your own key/cert instead of /var/lib/dkms/mok.*, configure DKMS signing key paths.

For NVIDIA modules only (recommended), use module-specific config:

mkdir -p /etc/dkms/nvidia
cat > /etc/dkms/nvidia.conf <<EOF
mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"
EOF

Alternatively, add to global config file /etc/dkms/framework.conf:

mok_signing_key="/root/module-signing/MOK-nvidia.priv"
mok_certificate="/root/module-signing/MOK-nvidia.der"

After changing DKMS config, rebuild/install the module for the kernel again.

6.7 Optional: One-time manual signing (for troubleshooting)

If you used installer signing options on step 6.5 and DKMS signing on 6.6, you can usually skip this.

Check is your MOK key enrolled:

mokutil --test-key /root/module-signing/MOK-nvidia.der

Sign the installed NVIDIA modules for current kernel:

KERNELVER=$(uname -r)
SIGNFILE="/lib/modules/${KERNELVER}/build/scripts/sign-file"

for m in nvidia nvidia_drm nvidia_modeset nvidia_uvm; do
    modpath=$(modinfo -F filename "$m")
    echo "Signing $m -> $modpath"
    "${SIGNFILE}" sha256 /root/module-signing/MOK-nvidia.priv /root/module-signing/MOK-nvidia.der "$modpath"
done

Verify signatures:

modinfo nvidia | egrep -i "signer|sig_key|sig_hash"

Rebuild module dependencies and initramfs (recommended):

depmod -a
update-initramfs -u -k $(uname -r)

6.8 Troubleshooting

  • NVIDIA modules won’t load: check journalctl -b -k |grep -i -E "nvidia|Lockdown|secure|mok|signature"
  • MOK Manager not shown after mokutil --import: confirm you are booting UEFI (not legacy BIOS) and Secure Boot is actually enabled.

Typical Secure Boot error looks like:

  • Lockdown: ... unsigned module loading is restricted
  • module verification failed: signature and/or required key missing

Check also NVIDIA’s own module signing documentation: