NVIDIA fails to load with secure boot enabled

Hardware Support
1

Fresh installation, fully updated before enabling NVIDIA driver, which worked fine until I enabled secure boot, which causes the driver to not load. Do I need to sign the driver? I am under the impression that NVIDIA signs drivers as I use Windows 11 Pro as well and by default, driver signatures are verified or they cannot load and I use the NVIDIA drivers as I game.

So please, If I could get some direction on this, it is very appreciated. Below is my hardware info, cleaned of dupes & dummies:

00:00.0 "Host bridge" "Advanced Micro Devices, Inc. [AMD]" "Starship/Matisse Root Complex" "Micro-Star International Co., Ltd. [MSI]" "Starship/Matisse Root Complex"
00:00.2 "IOMMU" "Advanced Micro Devices, Inc. [AMD]" "Starship/Matisse IOMMU" "Micro-Star International Co., Ltd. [MSI]" "Starship/Matisse IOMMU"
00:07.1 "PCI bridge" "Advanced Micro Devices, Inc. [AMD]" "Starship/Matisse Internal PCIe GPP Bridge 0 to bus[E:B]" "" ""
00:08.0 "Host bridge" "Advanced Micro Devices, Inc. [AMD]" "Starship/Matisse PCIe Dummy Host Bridge" "" ""
00:08.1 "PCI bridge" "Advanced Micro Devices, Inc. [AMD]" "Starship/Matisse Internal PCIe GPP Bridge 0 to bus[E:B]" "" ""
00:14.0 "SMBus" "Advanced Micro Devices, Inc. [AMD]" "FCH SMBus Controller" -r61 "Micro-Star International Co., Ltd. [MSI]" "FCH SMBus Controller"
00:14.3 "ISA bridge" "Advanced Micro Devices, Inc. [AMD]" "FCH LPC Bridge" -r51 "Micro-Star International Co., Ltd. [MSI]" "FCH LPC Bridge"
01:00.0 "Non-Volatile memory controller" "Realtek Semiconductor Co., Ltd." "Device 5765" -r01 -p02 "Realtek Semiconductor Co., Ltd." "Device 5765"
02:00.0 "USB controller" "Advanced Micro Devices, Inc. [AMD]" "Device 43ee" -p30 "ASMedia Technology Inc." "Device 1142"
02:00.1 "SATA controller" "Advanced Micro Devices, Inc. [AMD]" "Device 43eb" -p01 "ASMedia Technology Inc." "Device 1062"
04:00.0 "Non-Volatile memory controller" "Realtek Semiconductor Co., Ltd." "Device 5765" -r01 -p02 "Realtek Semiconductor Co., Ltd." "Device 5765"
05:00.0 "Network controller" "MEDIATEK Corp." "Device 0608" "MEDIATEK Corp." "Device 0608"
2a:00.0 "Ethernet controller" "Realtek Semiconductor Co., Ltd." "RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller" -r15 "Micro-Star International Co., Ltd. [MSI]" "RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller"
2b:00.0 "VGA compatible controller" "NVIDIA Corporation" "Device 2507" -ra1 "Micro-Star International Co., Ltd. [MSI]" "Device c979"
2b:00.1 "Audio device" "NVIDIA Corporation" "Device 228e" -ra1 "Micro-Star International Co., Ltd. [MSI]" "Device c979"
2d:00.0 "Non-Essential Instrumentation [1300]" "Advanced Micro Devices, Inc. [AMD]" "Starship/Matisse Reserved SPP" "Micro-Star International Co., Ltd. [MSI]" "Starship/Matisse Reserved SPP"
2d:00.1 "Encryption controller" "Advanced Micro Devices, Inc. [AMD]" "Starship/Matisse Cryptographic Coprocessor PSPCPP" "Micro-Star International Co., Ltd. [MSI]" "Starship/Matisse Cryptographic Coprocessor PSPCPP"
2d:00.3 "USB controller" "Advanced Micro Devices, Inc. [AMD]" "Matisse USB 3.0 Host Controller" -p30 "Micro-Star International Co., Ltd. [MSI]" "Matisse USB 3.0 Host Controller"
2d:00.4 "Audio device" "Advanced Micro Devices, Inc. [AMD]" "Starship/Matisse HD Audio Controller" "Micro-Star International Co., Ltd. [MSI]" "Starship/Matisse HD Audio Controller"

2

Yes, the Drivers must be signed for use on GnuLinux, not just on Windows.
The signatures exist, you only need to access them with MOK.

I do not use Windows and therefor, I do not use Secure Boot so I am not well qualified to detail a descriptive guide.
You might find help in existing guides online:

3

When setting-up mok on a Zorin/Win 11 dual drive dual boot there was no need to download a driver from nvidia. I used a proprietary nvidia driver available in the repository. I was able to check all the security boxes for Win 11. I did have to install the mokutil package from the repository.

david@d-box:~$ mokutil --sb-state
SecureBoot enabled
david@d-box:~$ ls /sys/firmware/efi
config_table  esrt              fw_vendor      runtime      systab
efivars       fw_platform_size  mok-variables  runtime-map  vars
david@d-box:~$ dmesg | grep -i tpm
[    0.000000] efi: ACPI 2.0=0x9eb4f000 ACPI=0x9eb4f000 TPMFinalLog=0x9ebb9000 SMBIOS=0x9f539000 MEMATTR=0x9a6b6018 ESRT=0x9b4fff98 MOKvar=0x9f550000 RNG=0x9e71d018 TPMEventLog=0x8c5ac018 
[    0.013444] ACPI: TPM2 0x000000009EB9ECF8 000034 (v04 ALASKA A M I    00000001 AMI  00000000)
[    0.013470] ACPI: Reserving TPM2 table memory at [mem 0x9eb9ecf8-0x9eb9ed2b]
2 Likes
4

I purposely installed Zorin ~3 times in a row trying out secure boot enabled Zorin. In the 'short' run, I did the initial install, reboot, login, install shim-signed, run mokutil and set pw, reboot, enter BIOS and enable secure boot - save and exit, will boot to mokutil blue screen - not of 'death' - entered pw, enabled secure boot again through mokutil, reboot, install Nvidia proprietary, run mokutil again to finish Nvidia install and.. it worked.. Though - on my end, along with having the provided shim package, I also had to install shim-signed, and before starting the process. I'm not sure why, I've seen a few posts with others that had to do the same; shim just wasn't enough for my setup apparently? :person_shrugging: Not saying that's anything you're having issues with though.

With secure boot enabled, I ran it like that for about 2 years (first year with it disabled before trying it out randomly) then.. some weird issue happened, couldn't get it sorted out - some flatpaks were in an install / uninstall loop, that's all that would happen.. weird. So, made a current back up and just reinstalled, no secure boot this time though; all is well! I will have to say - Zorin was the first distro I tried getting secure boot working with, period. I never even attempted it before..

Nvidia drivers take a few more steps, that's all - plus the added security :smirk:

1 Like
5

Gday @skinj0b Welcome to the community!
Please keep us updated on your progress, if needed. :slight_smile:
If you have fixed the issue, please let us know how you fixed it.
This could help other user's in the future.

Zorin forum community.

1 Like
6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.