Nvidia on Ubuntu/Kernel modules: Difference between revisions

Line 1:

I came across an issue on the Linux Surface project titled [https://github.com/linux-surface/linux-surface/issues/906 DKMS kernel modules give "Key was rejected by service" on Ubuntu 22.04 with 5.19.2] - which is exactly the same problem I'm witnessing with my DKMS modules on Ubuntu 24.

I came across an issue reported to the Linux Surface project (run Linux on the Microsoft Surface tablet) titled [https://github.com/linux-surface/linux-surface/issues/906 DKMS kernel modules give "Key was rejected by service" on Ubuntu 22.04 with 5.19.2] - which is exactly the same problem I'm witnessing with my DKMS modules on Ubuntu 24.

<pre>

sudo modprobe nvidia

modprobe: ERROR: could not insert 'nvidia': Key was rejected by service

</pre>

There is a lot of great detective work in the comments on that issue to help diagnose and debug the issue I'm having.

Line 16:

Line 21:

sudo update-secureboot-policy --enroll-key

</pre>

Which brings up the NCurses dialog box to supply a password for the ~~Mokutil~~ system

Which brings up the NCurses? dialog box to supply a password for the <code>mokutil</code> system

I gave it a (Secure Boot) password. (~~See~~ Password safe.)

I gave it a (Secure Boot) password (stored in my Password safe.)

And rebooted

Line 24:

Line 29:

But video still didn't work.

But then I noticed that I inadvertently supplied the incorrect configuration by specifying MOK.der as the key (duplicating the key config). So checking for validity of the key, it seems the key got messed up so I ~~probably~~ need to regenerate it or delete it so the system generates a new one.

But then I noticed that I inadvertently supplied the incorrect configuration by specifying MOK.der as the key (duplicating the key config). So checking for validity of the key, it seems the key got messed up so I need to <strike>regenerate it or</strike> delete it so the system generates a new one.

The Canonical key is enrolled.

Line 68:

Line 73:

</pre>

But, when I tried to install nvidia again, package management wouldn't even work because module signing was broken.

I ended up deleting both the .der cert and .priv key files; and I witnessed the DKMS system re-creating new files during <code>apt install nvidia-driver-575-open</code>

Here is the relevant output from the <code>script</code><ref>https://man7.org/linux/man-pages/man1/script.1.html</ref> log

Building initial module nvidia/575.57.08 for 6.8.0-60-generic^M

Sign command: /usr/bin/kmodsign^M

Signing key: /var/lib/shim-signed/mok/MOK.priv^M

Public certificate (MOK): /var/lib/shim-signed/mok/MOK.der^M

Certificate or key are missing, generating self signed certificate for MOK...

</syntaxhighlight>

[[Category:Linux]]

[[Category:Kernel]]

[[Category:Video]]

@@ Line 1: / Line 1: @@
-I came across an issue on the Linux Surface project titled [https://github.com/linux-surface/linux-surface/issues/906 DKMS kernel modules give "Key was rejected by service" on Ubuntu 22.04 with 5.19.2] - which is exactly the same problem I'm witnessing with my DKMS modules on Ubuntu 24.
+I came across an issue reported to the Linux Surface project (run Linux on the Microsoft Surface tablet) titled [https://github.com/linux-surface/linux-surface/issues/906 DKMS kernel modules give "Key was rejected by service" on Ubuntu 22.04 with 5.19.2] - which is exactly the same problem I'm witnessing with my DKMS modules on Ubuntu 24.
+<pre>
+sudo modprobe nvidia
+modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
+</pre>
 There is a lot of great detective work in the comments on that issue to help diagnose and debug the issue I'm having.
@@ Line 16: / Line 21: @@
 sudo update-secureboot-policy --enroll-key
 </pre>
-Which brings up the NCurses dialog box to supply a password for the Mokutil system
+Which brings up the NCurses? dialog box to supply a password for the <code>mokutil</code> system
-I gave it a (Secure Boot) password. (See Password safe.)
+I gave it a (Secure Boot) password (stored in my Password safe.)
 And rebooted
@@ Line 24: / Line 29: @@
 But video still didn't work.
-But then I noticed that I inadvertently supplied the incorrect configuration by specifying MOK.der as the key (duplicating the key config). So checking for validity of the key, it seems the key got messed up so I probably need to regenerate it or delete it so the system generates a new one.
+But then I noticed that I inadvertently supplied the incorrect configuration by specifying MOK.der as the key (duplicating the key config). So checking for validity of the key, it seems the key got messed up so I need to <strike>regenerate it or</strike> delete it so the system generates a new one.
 The Canonical key is enrolled.
@@ Line 68: / Line 73: @@
 </pre>
+But, when I tried to install nvidia again, package management wouldn't even work because module signing was broken.
+I ended up deleting both the .der cert and .priv key files; and I witnessed the DKMS system re-creating new files during <code>apt install nvidia-driver-575-open</code>
+Here is the relevant output from the <code>script</code><ref>https://man7.org/linux/man-pages/man1/script.1.html</ref> log
+<syntaxhighlight lang="console">
+Building initial module nvidia/575.57.08 for 6.8.0-60-generic^M
+Sign command: /usr/bin/kmodsign^M
+Signing key: /var/lib/shim-signed/mok/MOK.priv^M
+Public certificate (MOK): /var/lib/shim-signed/mok/MOK.der^M
+Certificate or key are missing, generating self signed certificate for MOK...
+</syntaxhighlight>
+{{References}}
+[[Category:Linux]]
+[[Category:Kernel]]
+[[Category:Video]]