electroholiker

Ubuntu NVIDIA Driver & the Missing Secure Boot Key Enrollment

Preface

When switching from the Nouveau to the NVIDIA driver in Ubuntu for the first time—for example, using the GUI under Software & Updates -> Additional Drivers—Ubuntu automatically triggers a key enrollment procedure if Secure Boot is enabled, allowing the driver to be loaded.

The process requires the user to set a one-time password, restart the PC, and enter the password to complete the key enrollment.

Driver Not Loading After an Update

After upgrading to Ubuntu 24.04.2, I discovered an issue where the NVIDIA driver was no longer loading, leading to a low-resolution desktop screen. Switching to a newer driver was possible, but the new driver wasn’t loading either.

Even after switching to the Nouveau driver, purging all NVIDIA drivers, and reinstalling the latest recommended version, the NVIDIA driver still failed to load.

No Automatic Key Enrollment

I was nearly out of ideas, but I had a feeling the issue might be related to the enrolled key. Perhaps the key was removed during an upgrade of Ubuntu or my BIOS, and Ubuntu, for some reason, failed to trigger the key enrollment again.

So I checked if the key is there:

sudo mokutil --list-enrolled

Only one key was listed:

Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority

The Fix

Since I expected to see another key, I decided to purge all NVIDIA drivers again. After that, I used the ubuntu-drivers utility to install the recommended driver and force the key enrollment:

sudo ubuntu-drivers install
sudo update-secureboot-policy --enroll-key

This triggered the key enrollment process. I set a one-time password, restarted the PC, entered the password to complete the enrollment, and finally, the driver loaded successfully.

Curious to see if there was another key listed in the UEFI firmware, I checked and found a second key:

Issuer: CN=Ubuntu-Desktop-PC Secure Boot Module Signature key

However, I still don’t know why that key was removed from the UEFI firmware. Perhaps it was due to the Ubuntu upgrade, or maybe a recent BIOS update caused it. But the main problem is that Ubuntu seems to fail to detect the missing key, even when switching drivers in the GUI, and it does not trigger the key enrollment again.

Posted

in

,

by

admin

Tags:

, , , , , , , , , , , , , , , , , , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.