#Nvidia drivers do not work with kernel lockdown

It seems like the nvidia drivers (at least, the nvidia-dkms package) does not work with the lockdown=integrity kernel parameter.

Relevant journal entries (journalctl -b -2 -p 0..5):

kernel: Lockdown: (udev-worker): unsigned module loading is restricted; see man kernel_lockdown.7
systemd-modules-load[644]: Failed to insert module 'nvidia_uvm': Operation not permitted
systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Load Kernel Modules.

(Quick note, this appears twice in the journal)

I feel like this should be mentioned under the Kernel lockdown mode section of https://wiki.archlinux.org/title/Security#Kernel_hardening

If you want to change things on the wiki it is open source - https://gitlab.archlinux.org/archlinux/archwiki/

you just need to sign up, get approved and make PRs with any updated information

Not trying to dissuade you from posting this here too much but it probably wont be as effective in updating the docs which is what you seem to want 🙂

I mean, I also wanted to ask in case there is already a fix/workaround that allows using lockdown with nvidia-dkms, and I though asking here would be easier than going through the entire account setup/registration things 😅

Got it - I unfortunately dont know about this/can help atm but hopefully others know more!

did you install the kernel headers?

yes

I'm not quite sure why linux-headers is in there, since I only have linux-zen and linux-hardened, but that's probably required by either or both of the two

shouldn't be as far as I know

https://wiki.archlinux.org/title/Security#Mount_options
Do you need to change your fstab at all?

/var is simply a subvolume on my root btrfs, and /var/log and /var/cache are both mounted with rw

and you reran mkinitcpio with nvidia-dkms being installed?

there's no exec for any entry, I don't know if that is simply not required by btrfs, but for as far as I know I can still execute things (given I am talking in the discord app right now 😅 )

yup

not after adding the lockdown parameter, but I thought that not neccesary since I added it in the grub config

I should note that it's not as if the nvidia drivers don't load at all, just not with kernel lockdown

when disabling that, everything works fine

have you got params in there like modeset etc.

I don't know anything about the lockdown parameter, is it possible this is working as it should?

sorry?

my post is about it not working as I expect it should?

yes, I'm saying I don't know much about what you're doing, and checking are you sure your expectations are correct, they may well be, but, I want to double check

I'm just slowly trying to implement the things found at https://wiki.archlinux.org/title/Security

and then I encountered unexpected behaviour not mentioned in said article

is it a signing issue? do you need to sign the modules?
https://wiki.archlinux.org/title/Signed_kernel_modules#Native_DKMS_method

https://bbs.archlinux.org/viewtopic.php?id=289567
Seems relevant

ah,

but afaiu you'll have to build the kernel yourself
it seems like I'll just skip the lockdown parameter then