Installed nvidia driver
Since Fedora 28 wayland is crashing for me (Dell m4700 with external monitor), I got some time to try the nvidia GPU driver. At first I looked at https://www.if-not-true-then-false.com/2015/fedora-nvidia-guide/ which shows the actual output when installed: in "About" page it will show the nvidia card name. Then since it is easier to install from RPM Fusion, I followed https://rpmfusion.org/Howto/NVIDIA. The document is concise but helpful. For example, when it says "Secure Boot" has issue, then it is best turned off in BIOS. For another example, when it says "Wayland" has issue and must install something from Copr, indeed that is the case. Also the "grubby" command to update kernel command line is helpful too.
I followed another article https://gorka.eguileor.com/vbox-vmware-in-secureboot-linux/ to sign the modules. First create a key, then register the key to UEFI, I never did this before. I cannot find the keyring ".system_keyring" but /proc/keys shows something else.
[root@m4700 ~]# cat /proc/keys |grep trust
086fc70c I------ 2 perm 1f0b0000 0 0 keyring .builtin_trusted_keys: 1
3a3ece32 I------ 1 perm 1f0f0000 0 0 keyring .secondary_trusted_keys: 6
[root@m4700 ~]# keyctl list %:.secondary_trusted_keys
6 keys in keyring:
141543180: ---lswrv 0 0 keyring: .builtin_trusted_keys
519723937: ---lswrv 0 0 asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
425639263: ---lswrv 0 0 asymmetric: m4700: e9b8a7dceb32dbad7203e4f126927614ef8d749f
366180860: ---lswrv 0 0 asymmetric: vbox sining key: 71bb96ac139d95a88e376b3549f18b5b6e7a6731
511921353: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
711259049: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
[root@m4700 ~]# keyctl list %:.builtin_trusted_keys
1 key in keyring:
914482814: ---lswrv 0 0 asymmetric: Fedora kernel signing key: 2285ad1ee22995954b75925873d046bfaab640a0
Run "akmods" to build modules. There used to have an error "systemd-modules-load" but after all modules are signed, reboot and the modules seem to load properly.
# rpm -qa | grep ^kmod | xargs rpm -ql | grep .ko$ | xargs -l /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der
I don't know after a new kernel is installed, how much will break. Need to build modules again, sign them and update grub?
edit: updated a kernel and the packages are built automatically. I only need to sign it and it seems grub is fine, may need to rebuilt dracut image to get rid of the early load kernel module warning.
edit: single line script
# uname_r=$(rpm -q --qf="%{VERSION}-%{RELEASE}.%{ARCH}\n" kernel | sort -V | tail -n 1); akmods --kernel $uname_r; rpm -qa kmod-* |
xargs -l rpm -ql |grep .ko$ |
xargs -l /usr/src/kernels/${uname_r}/scripts/sign-file sha256 ./MOK.priv ./MOK.der && dracut --kver $uname_r -f