The feature my team worked on – Nvidia Driver Installation with Secure Boot Support – was approved by FESCo earlier this week and its upstream implementation was also approved several days ago, so it’s on its way to Fedora 41 and I decided to write a blog post with more context and our motivations behind it.

Installing the Nvidia drivers in Fedora Linux was not easy in the past. You had to add 3rd party repos and then install specific packages. Not very intuitive for beginners. That’s why we teamed up with the RPMFusion community which created a separate repository with the Nvidia driver that was enabled in Fedora Workstation if you agreed to enable third-party software sources. It also shipped AppStream metadata to integrate with app catalogs like GNOME Software. So all the user had to do was open GNOME Software, look up “nvidia”, and click to install it. Simple enough.

It only had one problem: it didn’t work with Secure Boot enabled. The next boot would simply fail if Secure Boot was enabled and the reason was not obvious for many users. It was not that significant when we came up with the solution, but it grew in significance as more and more machines had Secure Boot enabled.

The Fedora Workstation Working Group decided earlier this year that it would be better to remove the driver from GNOME Software given the fact that the current solution doesn’t work with Secure Boot. The repository remained among the approved third-party sources, but the user experience of installing the Nvidia driver was significantly degraded.

It’s really not something Fedora Workstation can afford because the Nvidia driver is more popular than ever in the AI craze. So we started thinking about a solution that would meet the criteria and work with Secure Boot. The most seamless solution would be to sign the module with the Fedora key, but that’s pretty much out of the question. Fedora wouldn’t sign a piece of closed source software from a third party repo.

So basically the only solution left is self-signing. It’s not ideal from the UX perspective. The user has to create a password for the machine owner key. The next time they boot, they have to go through several screens in terminal user interface of mokutil and enter the password. At such an early stage of the boot process the charset is pretty much limited to ASCII, so you can’t let the user use any other characters when creating the password in GNOME Software. But I think Milan Crha (devel) and Jakub Steiner (UX design), who worked on it, handled the problems pretty well.

When I was submitting the change, I was not expecting a lot of resistance. And if any, then questions about why we’re making proprietary software easily installable. But the biggest resistance was related to security. By enrolling a MOK, you allow all modules installed in the future to be signed by it as well.

I understand the security implications of it, but you’re already trusting any software from the package repository, you’ve enabled, with the root privileges anyway and the only other alternative is to disable Secure Boot completely which removes that security measure entirely. In addition, the solution with disabled Secure Boot has other problems: it is done differently on different computers, there is no single set of step-by-step instructions which we could give to all users. And they may not be able to disable Secure Boot at all.

On the other hand, we didn’t do a good job of informing users about the security implications in the original implementation and feedback from the community helped us come up with a better implementation with a reworked dialog. We’ve also added information about the security implications and an instruction how to remove the MOK when it’s no longer needed to the docs.

So in Fedora Workstation 41, installing the Nvidia driver will be as easy as it can be within the constraints of Fedora policies. We still see this as a temporary solution for older Nvidia cards and until Nvidia rolls out its open source kernel module. Then, hopefully, this perennial pain for Linux users will finally be over.