Enabling non-experimental kargs breaks NVIDIA driver | secureblue | Page 1

opaque harbor Jun 28, 2025, 6:44 AM

#

CPU: 5600G
MB: ASRock X570-ITX
GPU: NVIDIA RTX 3080 Ti
RAM: 2x8GB DDR4

Enabling the hardening-kargs (skipping experimental ones) breaks the NVIDIA driver. Desktop resolution is locked at 800x600, running nvidia-smi yields NVIDIA-SMI has failed because it couldn't communicate with the NVIDIA driver. Make sure that the latest NVIDIA driver is installed and running.

I vaguely remember NVIDIA requiring another set of kargs, but neither https://secureblue.dev/install#installation nor https://secureblue.dev/articles/kargs seems to mention them? ujust set-kargs-nvidia is still an option, though.

secureblue

kargs | secureblue

An overview of the hardened boot kargs used in secureblue

secureblue

Install | secureblue

Steps to install secureblue

uneven cave Jun 28, 2025, 7:49 AM

#

opaque harbor CPU: 5600G MB: ASRock X570-ITX GPU: NVIDIA RTX 3080 Ti RAM: 2x8GB DDR4 Enabling...

this probably means you didn't enroll the secureboot key

uneven cave Jun 28, 2025, 7:50 AM

#

opaque harbor CPU: 5600G MB: ASRock X570-ITX GPU: NVIDIA RTX 3080 Ti RAM: 2x8GB DDR4 Enabling...

the isos autoinstall kargs now, so set-kargs-nvidia isn't needed anymore

#

you can confirm by checking rpm-ostree kargs

opaque harbor Jun 28, 2025, 8:57 AM

#

uneven cave this probably means you didn't enroll the secureboot key

That is correct, didn't know these were related

opaque harbor Jun 28, 2025, 8:58 AM

#

uneven cave the isos autoinstall kargs now, so set-kargs-nvidia isn't needed anymore

rd.luks.uuid=luks-bb4b23dd-a229-473d-801a-a777ddaefe7c rhgb quiet root=UUID=49738546-a5f0-499d-8dc1-18d28a6653f5 rootflags=subvol=root rw iommu=pt ostree=/ostree/boot.0/fedora/27038c817cb9bde441225c9668877e5dbf4cacd98b3766af6bcc09c84641a538/0 amdgpu.ppfeaturemask=0xfff7ffff rd.driver.blacklist=nouveau modprobe.blacklist=nouveau nvidia-drm.modeset=1 nvidia-drm.fbdev=1 nosmt=force init_on_alloc=1 init_on_free=1 slab_nomerge page_alloc.shuffle=1 randomize_kstack_offset=on vsyscall=none lockdown=confidentiality random.trust_cpu=off random.trust_bootloader=off iommu=force intel_iommu=on iommu.passthrough=0 iommu.strict=1 pti=on module.sig_enforce=1 mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on l1d_flush=on l1tf=full,force kvm-intel.vmentry_l1d_flush=always loglevel=0

opaque harbor Jun 28, 2025, 9:52 AM

#

uneven cave this probably means you didn't enroll the secureboot key

Enabling Secureboot did solve the issue! Thanks for you help once again.

uneven cave Jun 28, 2025, 9:22 PM

#

opaque harbor That is correct, didn't know these were related

one of the kargs enforces module signing

#

the nvidia karg is a signed module

#

no SB key enrolled = module verification fails

opaque harbor Jun 28, 2025, 9:23 PM

#

uneven cave no SB key enrolled = module verification fails

Nooo

#

That means I've been wrongly blaming NVIDIA for the past 24 hours?

uneven cave Jun 28, 2025, 9:23 PM

#

yes lol

#

not nvidia's fault 😛

opaque harbor Jun 28, 2025, 9:25 PM

#

Buuut my Kernel is tainted. That's NVIDIA's fault, right?

uneven cave Jun 28, 2025, 9:26 PM

#

opaque harbor Buuut my Kernel is tainted. That's NVIDIA's fault, right?

not really

#

the kernel being tainted is informational

#

it means youre using out of tree modules

#

which is necessarily the case if youre using nvidia drivers or any other out of tree kmod

#Enabling non-experimental kargs breaks NVIDIA driver