Unexpected driver behavior - Secure Boot blocks drivers OR primary display freezes

Graphics / Linux Linux
,
1

Bug Summary

System: Ubuntu 24.04
GPU: GeForce RTX 4060 Max-Q / Mobile

Issue: Unable to have monitors functioning as expected with given drivers.

  • When Secure Boot is enabled:
    • nvidia-smi fails with “couldn’t communicate with NVIDIA driver” and “PPM init failed”
    • Second monitor not detected
  • When Secure Boot is disabled:
    • Only second monitor is detected
    • Primary monitor is stuck on (nonquiet) post-grub boot

Troubleshooting Attempts

Driver Versions Tested

  • nvidia-driver-550 (both proprietary and open)
  • nvidia-driver-560 (both proprietary and open)
  • nvidia-driver-570 (both proprietary and open)

Installation Methods Tried

  • Manual apt install of specific driver versions
  • ubuntu-drivers autoinstall
  • ubuntu-drivers install with specific driver targets
  • Complete purge/reinstall cycles (multiple times)
  • Added graphics-drivers PPA
  • Reinstalled linux-headers

System Configuration

  • Modified GRUB configuration (nomodeset)
  • Confirmed linux-headers match running kernel
  • When Secure Boot is enabled, manual modprobe attempts fail

Current State

Module Status:

  • nvidia.ko exists in /lib/modules/6.8.0-60-generic/kernel/nvidia-570/nvidia.ko
  • DKMS status shows: nvidia/570.153.02, 6.8.0-60-generic, x86_64: installed

When Secure Boot is enabled:

  • sudo modprobe nvidia returns: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
  • Only unsigned module loads: nvidia_wmi_ec_backlight

nvidia-bug-report.log (2.4 MB)

2

Im not familiar with dealing with secure boot problems, but the primary/secondary monitor problem you are describing is a common problem. You should plug in your primary monitor alone initially, then after booting, add your second monitor, and properly create display settings, that load when you reboot, (either through display settings or nvidia-settings) so your primary and secondary monitor are configured as such in your settings. I haven’t done it in awhile, but it is common to have issues with dual monitors, even after attempting to make proper settings for them.

3

oh I went to town on this problem recently so I thought I’d document my solution here. same manifestation:

sudo modprobe --verbose nvidia
insmod /lib/modules/6.14.0-24-generic/updates/dkms/nvidia.ko.zst NVreg_TemporaryFilePath=/var/tmp NVreg_EnableS0ixPowerManagement=1 NVreg_PreserveVideoMemoryAllocations=1 
modprobe: ERROR: could not insert 'nvidia': Key was rejected by service

also manifested by this output:

sudo dkms status nvidia
nvidia/570.172.08, 6.11.0-29-generic, x86_64: installed
nvidia/570.172.08, 6.14.0-24-generic, x86_64: installed (Differences between built and installed modules)

which shows that the signing is incorrect for the latest kernel.

eventually tracked it down to:

  • my use of secure boot
  • recently switching to open driver/kernels due to 3090->5090 upgrade
  • the nvidia generated /var/lib/shim-signed/mok/MOK.der was never added to my secure boot key list

I guess the latter could be an installation issue on the nvidia-dkms-nnn-open package

this key can be added manually using the following incantation:

sudo mokutil --import /var/lib/shim-signed/mok/MOK.der

insert password, then you have to reboot and follow the prompts from your bios, using the same password again.

recommend starting the whole process from scratch

  • by removing all existing drivers
  • adding the open driver package
  • then adding the key to the bios and rebooting

something like:

dpkg -l | grep nvidia | awk '{print $2}' | xargs sudo dpkg --force-all -P; sudo apt --fix-broken install -y; sudo apt autoremove -y
sudo apt install -y nvidia-open
sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
sudo reboot
4

To have DKMS service sign new driver builds when there’s a new kernel the MOK key must be added to /etc/dkms/framework.conf also.

5

thanks for the tip, I did the following:

  • appended the following to /etc/dkms/framework.conf:
mok_signing_key=/var/lib/shim-signed/mok/MOK.priv
mok_certificate=/var/lib/shim-signed/mok/MOK.der
  • tested the key’s still there by re-running the remove/install from above without the import

I guess I’ll know if it really worked when the modules iterate next..

6 
/etc/kernel/header_postinst.d/dkms:
Sign command: /usr/bin/kmodsign
Signing key: /var/lib/shim-signed/mok/MOK.priv
Public certificate (MOK): /var/lib/shim-signed/mok/MOK.der

Autoinstall of module nvidia/575.57.08 for kernel 6.14.0-27-generic (x86_64)
Building module(s)........... done.
Signing module /var/lib/dkms/nvidia/575.57.08/build/nvidia.ko
Signing module /var/lib/dkms/nvidia/575.57.08/build/nvidia-modeset.ko
Signing module /var/lib/dkms/nvidia/575.57.08/build/nvidia-drm.ko
Signing module /var/lib/dkms/nvidia/575.57.08/build/nvidia-uvm.ko
Signing module /var/lib/dkms/nvidia/575.57.08/build/nvidia-peermem.ko
Installing /lib/modules/6.14.0-27-generic/updates/dkms/nvidia.ko.zst
Installing /lib/modules/6.14.0-27-generic/updates/dkms/nvidia-modeset.ko.zst
Installing /lib/modules/6.14.0-27-generic/updates/dkms/nvidia-drm.ko.zst
Installing /lib/modules/6.14.0-27-generic/updates/dkms/nvidia-uvm.ko.zst
Installing /lib/modules/6.14.0-27-generic/updates/dkms/nvidia-peermem.ko.zst
Running depmod... done.

Autoinstall on 6.14.0-27-generic succeeded for module(s) nvidia.

new modules today, worked.