Bugzilla – Bug 1208939
Kernel 6.2.1 update no longer loads unsigned kernel modules
Last modified: 2023-03-07 20:12:37 UTC
I use fah app (scientific computing). It needs opencl and cuda. I use my nvidia card(GT 1030) only for computing. Today 2023/03/04 I get a current updated with packagekit. After restarting PC, fah service does not find opencl and cuda. I deleted all the nvidia packages, then reinstalled them by installing nvidia-drivers-minimal-G06 package. I restarted the PC. No success. Fah does not find any opencl or cuda. Also : — there is no more "GPU current" temp sensor. — the gkrellm plugin "nvidia" using SMI does not supply any temp and frequency. kde kcm "data center" does not find opencl.
Created attachment 865282 [details] nvidia installed packages
I guess this is the change in our kernel for 6.2.1 to no longer load unsigned kernel modules. :-( In order to verify this either boot an older kernel or disable Secureboot in your Firmware/BIOS. But I see you're trying to use the openGPU driver from nvidia now. AFAIK GT1030 is still Pascal architecture, which is not supported by this driver. You would need to select nvidia-driver-G06-kmp-default instead and remove again nvidia-open-driver-G06-signed-kmp-default and kernel-firmware-nvidia-gsp-G06.
I disabled "secure boot" same result : no opencl or cuda
>>But I see you're trying to use the openGPU driver from nvidia now. AFAIK >>GT1030 is still Pascal architecture, which is not supported by this driver. >>You would need to select nvidia-driver-G06-kmp-default instead and remove >>again nvidia-open-driver-G06-signed-kmp-default and >>kernel-firmware-nvidia-gsp-G06. I did not install these packages. I just selected nvidia-drivers-minimal-G06 package.
(In reply to Episteme PROMENEUR from comment #4) > >>But I see you're trying to use the openGPU driver from nvidia now. AFAIK >>GT1030 is still Pascal architecture, which is not supported by this driver. >>You would need to select nvidia-driver-G06-kmp-default instead and remove >>again nvidia-open-driver-G06-signed-kmp-default and > >>kernel-firmware-nvidia-gsp-G06. > > I did not install these packages. I just selected nvidia-drivers-minimal-G06 > package. ... which then selected and installed these. %package -n nvidia-drivers-minimal-G06 Summary: Meta package for compute only installations Group: System/X11/Utilities Requires: nvidia-compute-utils-G06 Requires: nvidia-compute-G06 Requires: (nvidia-driver-G06-kmp = %{version} or nvidia-open-driver-G06-kmp = %{version} or nvidia-open-driver-G06-signed-kmp = %{version}) %description -n nvidia-drivers-minimal-G06 This is just a Meta package for compute only installations. Please try what I told you.
Now : - secureboot is disabled - the required packages are installed - the non compliant packages are no more installed. success : fah detects opencl and cuda.
Ok. Hopefully this is fixed now with the following changes. ------------------------------------------------------------------- Sat Mar 4 19:33:22 UTC 2023 - Stefan Dirsch <sndirsch@suse.com> - sign kernel modules also on TW (boo#1208939) ------------------------------------------------------------------- Fri Feb 17 04:58:32 UTC 2023 - Stefan Dirsch <sndirsch@suse.com> - moved cuda-drivers provides to nvidia-compute-utils-G06 Updated packages should be available soon.
What does it means ? Can we enable secure boot ? Can we use nvidia-drivers-minimal-G06 package with a GT 1030 ? A secondary question : when proceeding a headless installation we don't get anymore the adapter sensors and the app “NVIDIA settings”. It would be a good thing to get them again, perhaps with a separate package.
(In reply to Episteme PROMENEUR from comment #8) > What does it means ? > > Can we enable secure boot ? Yes. > Can we use nvidia-drivers-minimal-G06 package with a GT 1030 ? Since it selects the open driver by default at least on your system (not sure why; maybe you can taboo it via zypper lock) the answer is no. What you can try is zypper in --no-recommends nvidia-compute-utils-G06 nvidia-driver-G06-kmp-default > A secondary question : > when proceeding a headless installation we don't get anymore the adapter > sensors Not sure what you mean with that. Special app? Maybe > and the app “NVIDIA settings”. It would be a good thing to get them > again, perhaps with a separate package. nvidia-settings is now in nvidia-utils-G06 package due to its dependancies
"headless" installation of the driver <=> minimal installation for computing
Sorry, I don't understand what you mean with "adapter sensors".
The sensor of the nvidia card for delivering temp for example. to get temp we need to install the video driver
(In reply to Episteme PROMENEUR from comment #12) > The sensor of the nvidia card for delivering temp for example. > > to get temp we need to install the video driver Which video driver? You mean the X driver? This sounds weird. So which file is missing here?
I don't know which part to install to get sensors. I know only if I proceed a minimal installation for computing then i get no more any sensor to display with gkrellm.
I can see the temperature in the output of 'nvidia-smi' which is part of nvidia-compute-utils-G06. So together with nvidia-driver-G06-kmp-default I don't see what's missing here ...
We can get temp, fans etc. without using SMI. Gkrellm detects not any sensors with a minimal installation.
gkrellm is a desktop app. So of course it needs some video driver. But I had the impression you had some different gfx card (internal Intel probably) for your desktop and used the nvidia card just for CUDA/OpenCL. No idea what gkrellm does. If it checks the temperature of the gfx card currently in use for the desktop or also additional nvidia gfx cards.
(In reply to Episteme PROMENEUR from comment #16) > We can get temp, fans etc. without using SMI. > > Gkrellm detects not any sensors with a minimal installation. I don't force anybody to make use of the minimal installation.
If I made a full installation of the NVIDIA card along the Intel iGPU and i don't use the NVIDIA card for the monitor, just for computing, there is no sensor problem. Gkrellm detects the nvidia sensors for displaying temp, fan, etc. that's why I say sensor part installation is missing with a minimal installation.
I just say that for computing, it is useful to know GPU core temp, fan speed, etc.
Then I guess it's some library in nvidia-gl-G06 or nvidia-video-G06, which is needed by gkrellm. You could try to figure out which one ...
I installed nvidia-gl-G06. No sensors. Then certainly the sensor part is in nvidia-video-G06.
Hmm. Interesting. That would be one of these: rpm -qpl nvidia-video-G06-525.89.02-7.1.x86_64.rpm /usr/lib64/gbm /usr/lib64/gbm/nvidia-drm_gbm.so /usr/lib64/libnvcuvid.so /usr/lib64/libnvcuvid.so.1 /usr/lib64/libnvcuvid.so.525.89.02 /usr/lib64/libnvidia-allocator.so.1 /usr/lib64/libnvidia-allocator.so.525.89.02 /usr/lib64/libnvidia-encode.so.1 /usr/lib64/libnvidia-encode.so.525.89.02 /usr/lib64/libnvidia-opticalflow.so.1 /usr/lib64/libnvidia-opticalflow.so.525.89.02 /usr/lib64/libvdpau_nvidia.so /usr/lib64/vdpau /usr/lib64/vdpau/libvdpau_nvidia.so.1 /usr/lib64/vdpau/libvdpau_nvidia.so.525.89.02
Ok. ChatGPT just told me that gkrellm uses nVidia's XNVCtrl Xserver extension tp display the temperature. I'm not sure how this extension gets added to the Xserver. Either by loading nVidia's glx extension or the X driver itself. But both are in nvidia-gl-G06. /usr/lib64/xorg/modules/extensions/libglxserver_nvidia.so.525.89.02 /usr/lib64/xorg/modules/drivers/nvidia_drv.so You can check that with xdpyinfo. One of the extension will be called 'XNVCtrl' or similar. So of course after installing nvidia-gl-G06 you also need to restart the Xserver.
I don't understand how to use xdpyinfo.
Just run it in a terminal on the desktop. I was wrong. The extension, which are added by NVIDIA are NV-CONTROL NV-GLX So I think NV-CONTROL is what is being used by gkrellm (using the XNVCtrl library).
BTW, I only found a gkrellm plugin, which we don't ship AFAIK. https://github.com/carcass82/gkrellm-nvidia But this now switched from XNVCtrl library is to NVML ... This begs the question where your gkrellm is coming from ...
With Yast software manager, I found a “libXNVCtrl0” 510.47.03 package. There is not any 525.89 version. Perhaps a solution ?
My gkrellm is coming from tumbleweed main repo OSS.
Ok. Just figured out that gkrellm uses 'nvidia-settings' tool internally to display the temperature. This is in package nvidia-utils-G06. But of course you still need also nvidia-gl-G06 since 'nvidia-settings' also used NV-CONTROL Xserver extension. But with that this is no longer a minimal installation. ;-)
NVML is used by SMI. Then it is installed with a minimal installation just for computing. If we can't separate the sensor part of the Nvidia driver, perhaps it is possible to create fake sensors. These sensors would deliver temp, fan speed, frequency etc. These fake sensors would use SMI to deliver the values. The "nvidia" plugin of gkrellm does not create fake sensors, but just display in Gkrellm the output of SMI. This plugin can inspire a developper to cretae fake sensors.
there is /usr/lib64/libnvidia-ml.so /usr/lib64/libnvidia-ml.so.1 /usr/lib64/libnvidia-ml.so.525.89.02 in nvidia-compute-G06
Well, so why not use SMI from the beginning for this purpose? As I told you 'nvidia-smi' can tell you the temperature without the need for NV-CONTROL/libXNVCtrl0 interface.
(In reply to Episteme PROMENEUR from comment #32) > there is > > /usr/lib64/libnvidia-ml.so > /usr/lib64/libnvidia-ml.so.1 > /usr/lib64/libnvidia-ml.so.525.89.02 > > in nvidia-compute-G06 Yes, nvidia-smi needs it.
I think this gkrellm Plugin making using of NVML (I guess it's just using libnvida-ml, but I didn't check this) is the right approach here.
Because SMI is not a monitoring tool. A monitoring tool display permanently, in an easy way on my desktop, various values as Gkrellm does. Gkrellm "nvidia" plugin runs well. But it is a workaround. It works only with Gkrellm.
Obviously it does ... https://github.com/carcass82/gkrellm-nvidia/blob/master/Makefile [...] LDLIBS += -lX11 -lnvidia-ml [...]
What "Obviously it does" ?
(In reply to Episteme PROMENEUR from comment #36) > Because SMI is not a monitoring tool. > > A monitoring tool display permanently, in an easy way on my desktop, various > values as Gkrellm does. > > Gkrellm "nvidia" plugin runs well. But it is a workaround. It works only > with Gkrellm. Feel free to improve the situation. I currently don't see how changing the packaging would help here. Minimal installation should not have any deps to X libs or even Xserver. Period.
That was an additional comment to comment#35
*** Bug 1208966 has been marked as a duplicate of this bug. ***
I built and installed the updated nvidia-driver-G06-kmp-default and it did not work for me. I noticed you've added some stuff using mokutil. I do not use shim for booting, instead have dracut configured to produce signed .efi images containing kernel + initramfs (the `uefi_secureboot_cert` option) Is there anything i can do (most likely add something to `kernel_cmdline`) to make this work in such a setup? (Disabling signature enforcement in kernel would be fine for me, as the initramfs is signed while the system drive is under FDE)
(In reply to dziobian from comment #42) > I built and installed the updated nvidia-driver-G06-kmp-default and it did > not work for me. Repositories haven't been updated with my changes yet. > I noticed you've added some stuff using mokutil. Yes, but today I noticed that my changes simple don't help. Looks like things need to be done differently with TW kernels than with kernels on openSUSE Leap. :-( > I do not > use shim for booting, instead have dracut configured to produce signed .efi > images containing kernel + initramfs (the `uefi_secureboot_cert` option) > > Is there anything i can do (most likely add something to `kernel_cmdline`) > to make this work in such a setup? > > (Disabling signature enforcement in kernel would be fine for me, as the > initramfs is signed while the system drive is under FDE) Honestly I'm not an expert on this area. So I'm afraid I can't help you here. :-(
(In reply to dziobian from comment #42) > I built and installed the updated nvidia-driver-G06-kmp-default and it did > not work for me. I noticed you've added some stuff using mokutil. I do not > use shim for booting, instead have dracut configured to produce signed .efi > images containing kernel + initramfs (the `uefi_secureboot_cert` option) > > Is there anything i can do (most likely add something to `kernel_cmdline`) > to make this work in such a setup? > > (Disabling signature enforcement in kernel would be fine for me, as the > initramfs is signed while the system drive is under FDE) Without shim which means without MOK, the only way is rebuild kernel and put the public key of nvidia-driver-G06-kmp-default to kernel. Or disable secure boot.
(In reply to Joey Lee from comment #44) > (In reply to dziobian from comment #42) > > I built and installed the updated nvidia-driver-G06-kmp-default and it did > > not work for me. I noticed you've added some stuff using mokutil. I do not > > use shim for booting, instead have dracut configured to produce signed .efi > > images containing kernel + initramfs (the `uefi_secureboot_cert` option) > > > > Is there anything i can do (most likely add something to `kernel_cmdline`) > > to make this work in such a setup? > > > > (Disabling signature enforcement in kernel would be fine for me, as the > > initramfs is signed while the system drive is under FDE) > > Without shim which means without MOK, the only way is rebuild kernel and put > the public key of nvidia-driver-G06-kmp-default to kernel. > > Or disable secure boot. Another approach, maybe we can try to enable CONFIG_SYSTEM_EXTRA_CERTIFICATE in openSUSE Tumbleweed kernel. As I remember, it will reserve a space for user to enroll public key to the space, then user needs to re-sign kernel by him self. So user doesn't need to re-compiler kernel to embedded public key.
Closing as duplicate. *** This bug has been marked as a duplicate of bug 1209006 ***