For general information: https://www.redhat.com/en/blog/uefi-secure-boot
- The installation media (ISO-9660 image on CD/USB) for RHEL 8.x is bootable with UEFI Secure Boot enabled.
- NOTE: make sure to select the EFI boot option to install an appropriate boot loader
$ sudo mokutil --sb-state
SecureBoot enabled
note: may see above message from EFI stub at boot up
Instructions provided are for the precompiled streams only. Use of DKMS streams is not supported with this technique.
$ sudo dnf module install nvidia-driver:latestor
$ sudo dnf module install nvidia-driver:XXXA clean install of RHEL 8.x (without the NVIDIA driver) is bootable with UEFI Secure Boot enabled. Once the NVIDIA driver is installed, the nouveau driver will be disabled. Without the key enrolled in the MOK, the nvidia kernel modules will be unable to load. Therefore the system will either fallback to the VESA driver (if supported) or runlevel 3 (virtual terminal).
$ lsmod | grep -e nouveau -e nvidianote: in this scenario, the output will be empty
To avoid this scenario, import the public key into the MOK database prior to reboot. See steps below.
note: skip this step if using your own certificate
- NVIDIA 2019 for RHEL8:
NVIDIA2019-public_key.der- See table for supported kmod packages
- Key is subject to change in a future release
$ sudo mokutil --import *public_key.dernote: you will be asked to create a new password (between 1-256 characters)
$ sudo mokutil --list-new | grep Issuernote: the key to be enrolled should be listed
On the next reboot, the MOK management interface will load.
- Press a key to continue.
- Select enroll MOK
- Select view key
- Confirm the key is correct
- Select yes to enroll the key into db
- Input the password created from the
mokutilstep - Select reboot
- The NVIDIA kernel modules will load