Pegasi Wiki

This wiki acts as a memo for our own work so why not share them? Feel free to browse and use out notes and leave a note while at it.

How to install Nvidia drivers to CentOS 8 / RHEL 8 workstation with secure boot

UPDATE: added kernel update notes

Just did this myself and wrote it down here. How to get your NVidia card working with NVidia drivers using UEFI secure boot. A compact list of commands to execute.

Download drivers

lcpci | grep -i nvidia

Identify model and download latest Linux drivers from NVidia.

Secure boot extras

Make a certificate, import it and reboot. We will use this key/cert with NVidia driver installer.

openssl req -new -x509 -newkey rsa:2048 -keyout /etc/pki/tls/private/nvidia.key -outform DER -out /etc/pki/tls/certs/nvidia.crt -nodes -days 36500 -subj "/CN=Graphics Drivers"
mokutil --import /etc/pki/tls/certs/nvidia.crt 
sync
reboot

Add necessary software

dnf groupinstall "Development Tools"
dnf install libglvnd-devel elfutils-libelf-devel

Disable Nouveau

This should be enough for latest CentOS / RHEL 8:

grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) nouveau.modeset=0"

The old way is to edit /etc/default/grub to add nouveau.modeset=0 in the end of line CRUB_CMDLINE_LINUX so it looks like this:

GRUB_CMDLINE_LINUX="crashkernel=auto <stuff deleted from here> nomodeset quiet nouveau.modeset=0"

Feel free to do it since it makes no harm. Next make grub config:

grub2-mkconfig

Disable nouveau module by creating vim /etc/modprobe.d/nvidia.conf and adding:

blacklist nouveau
options nouveau modeset=0

And running:

dracut --force
sync
reboot

Install Nvidia driver

Use the credentials we created earlier to support secure boot. Answer “yes” to installation of NVIDIA's 32-bit compatibility libraries, overwrite existing libglvnd files and automatic update of your X configuration file.

systemctl isolate multi-user.target
sh NVIDIA-Linux-x86_64-440.82.run -s --module-signing-secret-key=/etc/pki/tls/private/nvidia.key --module-signing-public-key=/etc/pki/tls/certs/nvidia.crt 
reboot

If boot is not successful do:

systemctl restart systemd-logind
reboot

Kernel updates

When a kernel update is due you need to do the following:

  • Update kernel (and other packages)
  • Reboot
  • Run the previous NVIDIA install command
  • Reboot

So start with update and reboot:

dnf update
reboot

Then log in again, open root shell and locate the previous install command:

history | grep NVIDIA

Here you get a list including the latest setup command in a line looking like this:

112  sh /home/user/Downloads/NVIDIA-Linux-x86_64-450.80.02.run -s --module-signing-secret-key=/etc/pki/tls/private/nvidia.key --module-signing-public-key=/etc/pki/tls/certs/nvidia.crt

Just re-run the command by typing the line number preceded by “!”:

!112

And have another reboot:

sync
reboot

That should cover the update procedure.

Comments

All comments and corrections are welcome.

 stars  from 2 votes

Leave a comment

Hyoff, 2020/08/31 01:55
Thanks! It worked for me. I have been trying to install Nvidia drivers for two weeks on Centos 8.2 and most of the information I found is for a Secure Boot turned off. In the Secure Boot Extras section, it would be great to mention about how to Perform MOK Management after reboot and the need to Enroll MOK and the keys just being created with a password.
The drivers were successfully installed but at reboot, I got "Oh no! Something has gone wrong". Replacing 'enforcing' by 'permissive' in the line 'SELINUX=enforcing' of the file /etc/sysconfig/selinux solved the problem. Thanks again.
Pekka Kuronen, 2020/12/17 06:19
MOK enrollment is up there in the "Secure boot extras" but if you mean updating / re-enrolling the credentials with mokutil then that is something I did not do yet.

My system uses secure boot, LUKS encrypted CentOS 8 with SElinux enforcing. Would there be something broken in your installation?
Enter your comment:
I G F M K
 

  //check if we are running within the DokuWiki environment if (!defined("DOKU_INC")){ die(); } //place the needed HTML source codes BELOW this line