Installing NVIDIA Driver on Fedora 42 with Secure Boot Enabled

Many developers know that NVIDIA’s support for Linux isn't exactly stellar. Still, when it comes to workloads that benefit from parallel computing—like multiplying two massive matrices—NVIDIA GPUs often become a necessary tool. Installing the proprietary NVIDIA driver on Linux can sometimes feel like a hassle, especially when Secure Boot is enabled. Some users even disable Secure Boot altogether to avoid dealing with cryptographic signatures and kernel module verification.

However, disabling Secure Boot is not ideal. It's a crucial security mechanism designed to prevent pre-boot attacks—threats that are notoriously difficult to detect once they succeed. Fortunately, with Fedora 42, the process of working with Secure Boot has become much more manageable, thanks to a set of helpful tools that abstract away most of the complexity.

In this guide, I’ll walk you through how to install the NVIDIA driver on Fedora 42 with Secure Boot enabled.

Understanding Secure Boot and MOK

The first step is to enroll a Machine Owner Key (MOK), which we’ll use to sign the NVIDIA kernel module. But before diving into that, let’s briefly cover what Secure Boot is and why MOK is necessary.

Secure Boot is a UEFI feature that verifies the digital signatures of bootloaders, kernels, and kernel modules during the boot process. Most motherboards ship with pre-installed platform keys in their firmware. These keys determine which executables are trusted and allowed to run. If an executable—like a custom kernel module—isn't signed with one of these trusted keys, Secure Boot will block it.

That’s where MOK comes in. MOKs offer a user-managed way to add trusted keys to Secure Boot without needing access to the private platform keys (which we are impossible to have access to). By enrolling your own MOK into the system's firmware, you can sign your own modules (like NVIDIA’s) and have them pass Secure Boot validation.

The Plan

Here's what we'll do:

Generate a custom MOK.
Enroll it into your system’s UEFI firmware.
Install the NVIDIA driver (which will be signed automatically).

Generate a Custom MOK

First, install the required tools to generate and manage a Machine Owner Key (MOK):

sudo dnf install kmodtool akmods mokutil openssl

Next, generate a MOK using default settings:

sudo kmodgenca -a

Once the command completes, two symbolic links will be created:

/etc/pki/akmods/certs/public_key.der — points to your public key
/etc/pki/akmods/private/private_key.priv — points to your private key

Now, let’s enroll the public key into the UEFI firmware.

Enroll MOK to UEFI Firmware

To enroll the MOK:

sudo mokutil --import /etc/pki/akmods/certs/public_key.der

Note: The key will not be enrolled immediately. This command only schedules it for the next boot. You’ll be prompted to create a password—remember it, as you’ll need it to complete the enrollment during boot.

To confirm that the key is scheduled for enrollment:

sudo mokutil --list-new

Then reboot the system:

reboot

During the boot process, you’ll be prompted to enroll the key. Use the password you set earlier to approve it.Once you've logged back into your system, verify that the key has been successfully enrolled:

sudo mokutil --list-enrolled

You should see your key listed in the output.

Bonus: Revoke Enrolled MOK

If you can enroll a MOK, you can also revoke it. According to the mokutil manual, there are a couple of ways to do this:

-d, --delete
Collect the following files and form a deleting request to shim. The files must be in DER format.
...
--delete-hash
Create a deleting request for the hash of a key in DER format. Note that this is not the password hash.

Both methods require access to the public key file originally used during enrollment. That can be a problem—especially if you've reinstalled the OS and didn’t revoke the MOK beforehand. Since MOKs are stored in UEFI firmware, they persist across OS reinstalls.

So are you stuck? Not quite.

Fortunately, since the MOK is still enrolled in firmware, you can export a copy of the public keys directly from there:

sudo mokutil --export
ls -al

You should see files like MOK-001.der, MOK-002.der, etc. These correspond to the keys listed by:

sudo mokutil --list-enrolled

To revoke a specific key, use the following command with the appropriate key file:

sudo mokutil --delete MOK-001.der

You’ll be prompted to create a password for the deletion request. Just like enrollment, the revocation won't happen immediately. Instead, it will be queued for the next boot.

To confirm the revocation has been scheduled:

sudo mokutil --list-delete

Reboot the machine. During the boot process, you’ll be prompted to approve the key deletion. Enter the password you set, and the key will be removed from UEFI firmware.

Install NVIDIA Driver

We’ll install the NVIDIA driver from RPM Fusion. Start by enabling both the free and non-free RPM Fusion repositories:

sudo dnf install https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm

Then, enable the OpenH264 repository:

sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1

Before proceeding with the driver installation, update your system to ensure you're using the latest kernel. If a new kernel is installed, reboot your system before continuing:

sudo dnf upgrade --refresh -y
reboot

Now install the NVIDIA driver using akmod:

sudo dnf install akmod-nvidia

Thanks to the MOK you've enrolled, akmod will automatically sign the module. But what exactly is akmod?

Akmod is a tool that automatically builds and installs kernel modules at boot time for the currently running kernel. Unlike precompiled kmod packages, which target specific kernel versions, akmod dynamically compiles modules from source RPMs, making it ideal for systems with frequently updated or custom kernels. It’s similar to DKMS, but typically easier to manage on Fedora-based systems.

After installation, akmod might still be building the module in the background. This can take a few minutes. You can check whether the NVIDIA module has finished building:

modinfo -F version nvidia

If you get an error, the build hasn't completed yet. If a version number appears, you're good to go.

Finally, reboot:

reboot

After rebooting, confirm the NVIDIA driver is loaded:

lsmod | grep -i "nvidia"

Bonus: Check Signature or Sign Kernel Module by akmod

Sometimes, akmod may fail to sign kernel modules—usually because the MOK wasn’t enrolled beforehand. If the module isn’t loading, check whether it’s signed:

modinfo nvidia

Look for the following fields: signer, sig_key, sig_hashalgo, and signature. If they’re missing, the module is unsigned.

To fix this, rebuild and re-sign the module. Ensure your MOK is already enrolled before doing this:

sudo akmods --rebuild
sudo dracut --force

This rebuilds all akmods and regenerates the initramfs to include the newly signed modules.

Optional: Install CUDA

To fully utilize GPU-accelerated computing, you’ll also need the CUDA driver and toolkit. The CUDA driver is already included with the NVIDIA driver package. To make it explicit:

sudo dnf install xorg-x11-drv-nvidia-cuda

You should be able to run:

nvidia-smi

If it fails, reboot and try again.

To install the CUDA toolkit:

sudo dnf config-manager addrepo --from-repofile=https://developer.download.nvidia.com/compute/cuda/repos/fedora41/$(uname -m)/cuda-fedora41.repo
sudo dnf clean all
sudo dnf module disable nvidia-driver
sudo dnf config-manager setopt cuda-fedora41-$(uname -m).exclude=nvidia-driver,nvidia-modprobe,nvidia-persistenced,nvidia-settings,nvidia-libXNVCtrl,nvidia-xconfig
sudo dnf -y install cuda-toolkit

After installation, you should be able to compile and run CUDA-enabled applications that rely on GPU acceleration.