Installing NVIDIA Proprietary Driver on Ubuntu with Secure Boot (MOK)

This guide shows how to install the official NVIDIA driver (the .run installer from Nvidia.com) on Ubuntu 24.04/25.04 with Secure Boot enabled, sign the kernel modules, enroll the MOK key, and verify that the driver is actually being used (not falling back to llvmpipe).

TL;DR

Download the driver from Nvidia.com
chmod +x NVIDIA-Linux-x86_64-<version>.run
Stop the display manager (e.g., gdm3) and switch to a TTY
Run the installer with module signing (supplies key + cert or lets the installer create them)
Enroll the cert with mokutil --import ...
Reboot and Enroll MOK on the blue screen
Add nvidia-drm.modeset=1 to GRUB, rebuild initramfs, reboot
Verify with nvidia-smi and glxinfo

Prerequisites

Ubuntu 24.04/25.04 (GNOME)
Secure Boot enabled in BIOS/UEFI
Internet access
build-essential, kernel headers, and basic tools:

sudo apt update
sudo apt install -y build-essential dkms linux-headers-$(uname -r) mokutil curl wget mesa-utils

Tip: If you previously installed NVIDIA via apt, either purge it or ensure there’s no conflict. Mixing .run and apt packages can cause headaches.

sudo apt purge 'nvidia-*'

1) Download the official NVIDIA driver

Go to NVIDIA > Drivers and download the correct .run file for your GPU. Save it to ~/Downloads.

cd ~/Downloads
chmod +x NVIDIA-Linux-x86_64-*.run

2) Stop the display manager and switch to a TTY

Using SSH from another machine (recommended) or locally:

sudo systemctl stop gdm3
# or: sudo systemctl stop sddm
# or: sudo systemctl stop lightdm

Switch to a TTY (e.g., Ctrl+Alt+F3) and log in.

3) Run the installer with module signing

sudo ./NVIDIA-Linux-x86_64-*.run
# When prompted about Secure Boot / signing, allow it to generate a keypair.

The installer will typically place files like:

Private key: /usr/share/nvidia/nvidia-modsign-key-<ID>.key
Certificate: /usr/share/nvidia/nvidia-modsign-crt-<ID>.der

4) Enroll the signing certificate (MOK)

If Secure Boot is enabled, the kernel will only load signed modules and the cert must be enrolled.

# Import the certificate (DER or X.509)
sudo mokutil --import /usr/share/nvidia/nvidia-modsign-crt-<ID>.der

You’ll be asked to create a temporary password. Remember it—you’ll enter it at the next boot.

5) Reboot and enroll in the blue screen

Reboot. On the blue MOK Manager screen:

Choose Enroll MOK → Continue
Select Yes to enroll the key
Enter the password you created
Reboot again

Verify enrollment:

mokutil --list-enrolled | grep -i nvidia || true
sudo modinfo -F signer nvidia

You should see your key listed and modinfo should not say unsigned.

6) Make sure NVIDIA is used (and nouveau is not)

Blacklist nouveau and ensure DRM modeset is enabled for NVIDIA:

echo "blacklist nouveau" | sudo tee /etc/modprobe.d/blacklist-nouveau.conf
echo "options nouveau modeset=0" | sudo tee -a /etc/modprobe.d/blacklist-nouveau.conf
sudo update-initramfs -u

Ensure GRUB has the NVIDIA modeset parameter:

sudo nano /etc/default/grub
# Change this line (append if missing):
# GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nvidia-drm.modeset=1"

sudo update-grub

Wayland note (GNOME): Drivers 5xx+ generally work with Wayland when nvidia-drm.modeset=1 is set and GDM allows Wayland. If you previously forced Xorg, undo it:

sudo sed -i 's/^WaylandEnable=false/#WaylandEnable=false/' /etc/gdm3/custom.conf

Re-enable your display manager and/or reboot:

sudo systemctl start gdm3
# or just reboot
sudo reboot

7) Verify it’s actually working

nvidia-smi

Should show the driver version and your GPU.

glxinfo | grep "OpenGL renderer"

Should show NVIDIA , not llvmpipe.

for m in nvidia nvidia_modeset nvidia_uvm nvidia_drm; do
  printf "%-15s %s\n" "$m" "$(modinfo -F signer "$m" 2>/dev/null || echo 'not loaded')"
done

Each module’s signer should correspond to your enrolled key.

Appendix: Quick Command Recap

# Install prereqs
sudo apt update && sudo apt install -y build-essential dkms linux-headers-$(uname -r) mokutil mesa-utils

# Stop display manager and run installer
sudo systemctl stop gdm3
cd ~/Downloads && chmod +x NVIDIA-Linux-x86_64-*.run
sudo ./NVIDIA-Linux-x86_64-*.run --dkms

# Enroll cert
sudo mokutil --import /usr/share/nvidia/nvidia-modsign-crt-<ID>.der

# Reboot → Enroll MOK on blue screen

# Block nouveau + enable modeset
echo "blacklist nouveau" | sudo tee /etc/modprobe.d/blacklist-nouveau.conf
sudo update-initramfs -u
sudo sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nvidia-drm.modeset=1"/' /etc/default/grub
sudo update-grub
sudo reboot

# Verify
nvidia-smi
glxinfo | grep "OpenGL renderer"
for m in nvidia nvidia_modeset nvidia_uvm nvidia_drm; do modinfo -F signer "$m"; done

TL;DR#

Prerequisites#

1) Download the official NVIDIA driver#

2) Stop the display manager and switch to a TTY#

3) Run the installer with module signing#

4) Enroll the signing certificate (MOK)#

5) Reboot and enroll in the blue screen#

6) Make sure NVIDIA is used (and nouveau is not)#

7) Verify it’s actually working#

Appendix: Quick Command Recap#