For many applications the open source nouveau graphics driver for Nvidia GPUs provides acceptable performance on Linux. However, in more demanding applications, especially gaming, Linux users will find it necessary to install the proprietary Nvidia graphics drivers when relying on an Nvidia GPU.

Many Linux distributions or third party repositories provide pre-packaged Nvidia binary drivers but in some cases it may be necessary to install the drivers manually. There are helpful instructions around the web, my favorite being the if-not-true-then-false articles. But piecing together commands can get cumbersome or difficult, especially when you add UEFI to the mix which will require driver signing.

To make things easier I put together some scripts to simplify some of the installation steps. The nvidia-install-scripts project contains a handful of Bash scripts to assist wih setting up the keys for kernel module signing as well as scripts for installation of the Nvidia binary driver.

Kernel Module Signing Keys

When using Secure Boot the Nvidia kernel module will need to be signed to enable loading of the module at run time. These steps are only executed once and the key pair will then be reused each time the Nvidia kernel module is updated.

A custom key pair needs to be created with openssl and installed as a machine owner key. The make-key.sh and import-key.sh scripts contain the commands to perform this task.

Create key pair (make-key.sh)

This script will create the public and private key pair for kernel module signing.

      #!/bin/bash

      openssl req -new -x509 -newkey rsa:2048 -keyout ./nvidia.key -outform DER -out ./nvidia.der -nodes -days 36500 -subj "/CN=Graphics Drivers"
    

Install machine owner key (import-key.sh)

The public key component of the machine owner key must be installed in the motherboard NVRAM for use by the UEFI Secure Boot for kernel module validation.

      #!/bin/bash

      mokutil --import ./nvidia.der
    

These scripts are only needed the first time the installation is performed. The same key will be used to sign any future Nvidia kernel module installs.

Enable/Disable GUI Interface

When performing a driver installation or upgrade it will be necessary to boot into a non-gui mode to run the install commands and a then switch back when finished. The nogui-target.sh and gui-target.sh scripts are used to switch modes between reboots.

Disable GUI mode (nogui-target.sh)

      #!/bin/bash

      systemctl set-default multi-user.target
    

Enable GUI mode (gui-target.sh)

      #!/bin/bash

      systemctl set-default graphical.target
    

Driver Install (signed-install.sh)

And then there is the actual installation script that performs a signed module install using the Nvidia binary installer and the previously generated signing key.

      #!/bin/bash

      PRIVATE_KEY="/root/nvidia/nvidia.key"
      PUBLIC_KEY="/root/nvidia/nvidia.der"

      NVIDIA_INSTALLER="$1"

      if [ -z "$NVIDIA_INSTALLER" ]; then
      	echo "Specify installer to use"
      	exit 1
      fi

      if [ ! -f "./$NVIDIA_INSTALLER" ]; then
      	echo "Install not found, $NVIDIA_INSTALLER"
      	exit 1
      fi

      if [ ! -f "$PRIVATE_KEY" ]; then
      	echo "Private key not found, $PRIVATE_KEY"
      	exit 1
      fi

      if [ ! -f "$PUBLIC_KEY" ]; then
      	echo "Public key not found, $PUBLIC_KEY"
      	exit 1
      fi

      echo "Running installer $NVIDIA_INSTALLER"

      ./$NVIDIA_INSTALLER \
      --module-signing-secret-key="$PRIVATE_KEY" \
      --module-signing-public-key="$PUBLIC_KEY"