Secure Boot and Linux nVidia Drivers

For some time now I have struggled with getting the proprietory nVidia drivers to work on a system with UEFI Secure Boot enabled. What would happen is the drivers install correctly but do not load due to Secure Boot signing verification mechanism does not complete successfully.

Reading suggests that mokutil --import MOK.der should load the key to the Secure Boot database ready for the enrolment process to complete upon reboot. This enrolment process should present a screen where the certificate password is requested. However, this was not occurring, the machine would boot into Ubuntu but the resolution would be stuck at 1024x768 with an unrecognised display.

With a little persistence and a lot more reading, I found a little thread of thought that suggested I manually load the certificate into the Secure Boot database.

Boot your machine and enter the BIOS (I do this by pressing DEL during the boot process on the Asus motherboard I’m using).

Go to the boot menu and enter the Secure Boot menu option.

Enter the Key Management menu.

You are presented with many options to clear or save Secure Boot keys, and to load or append to the PK, KEK, dbx and db databases. These databases are:

• Platform Key (PK)
• Key Exchange Key (KEK)
• Signature Database (db)
• Forbidden Signature Database (dbx)

We want to load our key to the Signature Database, so select Append Default db.

You will be presented with a Yes/No dialog. You should select No so that you can append to the database from a USB storage device.

Select the MOK.der file you placed on the USB drive earlier.

Thanks it. When you save and exit out of the BIOS and reboot you should be booted into Linux with the driver correctly signed and loaded and your resolution set correctly.