The title is quite a mouthful but I think it encapsulates everything that this article will outline :P I've been trying to get a Linux system running on my laptop with secure boot enabled, that part is the easy part (provided the distribution supports secure boot). The more difficult part is installing NVIDIA drivers so that the kernel is able to load on boot.
The reason for this difficulty is that your laptop needs to know that it can trust the module on boot and just installing the driver is not enough. You have to sign the installation with a key that your laptop knows is trustworthy.
So to start with, let's talk about distributions. Although I love Pop!_OS, unfortunately, it doesn't support secure boot. So you'd have all of your drivers installed but you would not be able to access the OS with secure boot switched on. The answer to this problem: Fedora. And I have to say I am so impressed with this OS, it'll definitely be my main one for an extremely long time. I used Fedora 36 during the time of writing this article, it's really smooth and easy to use and uses the latest GNOME and Wayland stable versions. It also supports secure boot by default which is a huge win and means you can install it off the bat with secure boot enabled.
Now that I had my Fedora OS running, I wanted to get my NVIDIA drivers sorted. It should be as easy as clicking install from the "Software" app right? Nope :(...
It turns out, that if you install it from there, it'll install fine but the module will not be able to load when you start up your laptop. You'll see an error similar to this:
Nvidia kernel module missing, Falling back to nouveau
Don't panic, there is a way to get this working! If you'd like to read the full story, check out the documentation here. But we won't use this method directly, instead, we'll sign an existing key that allows us to install the NVIDIA drivers. We're going to sign the
akmod key, the only thing here is that you need to be responsible and understand that if you're going to install any and every
dnf package out there, then don't do this because then you may as well disable secure boot!
Firstly, we need to check that the key is there (assuming that you've enabled the non-free rpm fusion repos - I won't run through that here, a quick Google search should show you how to do this):
sudo ls /etc/pki/akmods/certs/
This should show you that a
public_key.der file exists in that folder and you can use that key to sign and install your drivers.
Now you want to add this key to your system as one that can be used to sign modules, so you'll run:
sudo mokutil --import /etc/pki/akmods/certs/public_key.der
This will ask you for a passphrase, set this to one you know, AND DON'T FORGET IT!
Now when you reboot, you should see a blue screen that states that you're about to import a key and confirms if you'd like to continue. When you select the key to import, it'll ask for the same passphrase you entered before. Enter the passphrase and submit and that's it, the key will be imported and you'll be able to boot back into your system.
Once you've booted back into the system, go ahead and install the NVIDIA drivers from Software and you should see that when you reboot, there will be no kernel module missing error!
Hope this helps, and enjoy the secure boot system with NVIDIA drivers working smoothly :)!