[Solved] Cannot sign nvidia modules after upgrade to 565.57.01 driver

[killy9999]

I am running Debian 12 with nVidia proprietary drivers installed from the official nVidia repository for Debian. I have SecureBoot enabled on my system and have set up automatic module signing via DKMS, as described in this reddit thread. This worked well until I updated the drivers from 560.35.03 to 565.57.01, following the recent security advisories. It seems like signing the nVidia modules no longer works and my system no longer boots into graphic mode, with errors reported from nvidia-persistencd service. Trying to sign a module manually by calling:

Code: Select all

/usr/src/linux-headers-6.1.0-26-amd64/scripts/sign-file sha256 /root/.mok/MOK.priv /root/.mok/MOK.der /lib/modules/6.1.0-26-amd64/updates/dkms/nvidia-current-drm.ko

results in:

Code: Select all

At main.c:298:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75
sign-file: /lib/modules/6.1.0-26-amd64/updates/dkms/nvidia-current-drm.ko

I note that there are no errors reported when (re)installing the nVidia driver packages, as if they were omitted or as if the module signing was not even attempted. Also, I can sign VirtualBox modules just fine, so it is not a general module signing problem, but rather specific to nVidia. The only way I can boot into graphic mode is by disabling SecureBoot in the BIOS. Help appreciated.

[Aki]

Hello,

Perhaps this earlier discussion will help you (suspect that the PEM signing key is not in the format expected by the building process of the kernel):

• Help with compiling a signed vanilla kernel

[killy9999]

Thanks! I'll try out these instructions - might take a few days - and report back.

[killy9999]

@Aki I found the cause problem. I had the module signing set up to be done automatically via DKMS. This included a file /etc/dkms/nvidia-current.conf, where the name of the conf file must match the module names. It turns out that in the driver 565 all nvidia modules were renamed from nvidia-current-* to nvidia-* (the current- part was dropped). The solution was to rename /etc/dkms/nvidia-current.conf to /etc/dkms/nvidia.conf and it now works.

[Aki]

Hello,

@Aki I found the cause problem. I had the module signing set up to be done automatically via DKMS. This included a file /etc/dkms/nvidia-current.conf, where the name of the conf file must match the module names. It turns out that in the driver 565 all nvidia modules were renamed from nvidia-current-* to nvidia-* (the current- part was dropped). The solution was to rename /etc/dkms/nvidia-current.conf to /etc/dkms/nvidia.conf and it now works.

I'm glad you sorted it out. :)

Please, mark the discussion as "solved" manually adding the text tag "[Solved]" at the beginning of the subject of the first message.

Thanks for reporting back.

Happy Debian ! :)

[killy9999]

Marked as solved.

Actually, I need to correct what I wrote in the previous post. The original error that I saw:

Code: Select all

At main.c:298:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75
sign-file: /lib/modules/6.1.0-26-amd64/updates/dkms/nvidia-current-drm.ko

was from a script that had all the module names hardcoded. The "No such file or directory" part of the message refers to the module file, whose name has changed and it no longer exists. In the particular example above, nvidia-current-drm.ko no longer exists as it is now called nvidia-drm.ko

The second part of the problem was that I had the mentioned DKMS hook script, which does not have the names hardcoded - it receives them on the command line during the build process. That script had the incorrect name and was not picked up during the build, as explained in my previous post.

I hope this helps anyone reading this in the future.