This repository contains a setup script that automates signing NVIDIA kernel modules for Secure Boot. It generates Machine Owner Keys (MOK), installs a signing service, and enables it at boot to automatically resign modules after updates.
- 📦 Automatically generates and stores signing keys
- 🔐 Signs all critical NVIDIA modules:
nvidia,nvidia_drm,nvidia_modeset,nvidia_uvm - 🖥️ Creates and enables a
systemdservice to ensure modules are re-signed on boot - 📑 Includes logging via
journalctl - ✅ Secure Boot compatible
- Secure Boot enabled system
mokutil,openssl,modinfo, andsystemd- NVIDIA proprietary drivers already installed
-
Clone the repository:
git clone https://github.com/Dimokat/nvidia-secureboot-signing.git cd nvidia-secureboot-signing -
Make the script executable and run it:
chmod +x setup-nvidia-signing.sh sudo ./setup-nvidia-signing.sh
-
Enroll the MOK key (you'll be prompted to set a password):
sudo mokutil --import /var/lib/nvidia-signing/MOK.der
-
Reboot your system. During boot, follow the on-screen instructions to enroll the key (you’ll need the password you set).
After reboot, check if the modules were signed:
dmesg | grep -i nvidia
sudo journalctl -u nvidia-signing.serviceYou should see success messages and no signature verification errors.
The nvidia-signing.service:
- Detects installed NVIDIA modules
- Uses the
sign-filescript from your kernel sources - Signs each module with the MOK private key
- Outputs status to
journalctl -u nvidia-signing.service
| File | Purpose |
|---|---|
/usr/local/bin/nvidia-sign.sh |
Signing logic |
/etc/systemd/system/nvidia-signing.service |
Systemd service to run at boot |
/var/lib/nvidia-signing/ |
Stores the private key and certificate |
-
Disable the service:
sudo systemctl disable nvidia-signing.service
-
Remove installed files:
sudo rm -f /usr/local/bin/nvidia-sign.sh sudo rm -f /etc/systemd/system/nvidia-signing.service sudo rm -rf /var/lib/nvidia-signing/
-
Reload systemd:
sudo systemctl daemon-reexec
MIT
(P.S. Do whatever you want with it)