Hi folks,

I have a problem, a big problem. I have posted a thread over at the Debian forums, but I’m unfortunately in a hurry (my workstation is bricked) so I’m going to cross-post it here (Skullgrid@lemmy.world kindly redirected me to this community for help).

I’m going to paste the text from the Debian help thread below, hopefully someone has an idea how I can pull myself out of this mess.

Quite a bit has happened, so I’ll give you a short version with what I think is essential information, and if you need other details please do ask.

Essentially, I tried getting the nvidia driver on a fresh Trixie install using this tutorial (https://fostips.com/install-nvidia-driver-in-debian-13/). I reached the part where it says “After reinstalled the driver, restart your computer.”, that’s when the terminal turned blue and told me with big centered text that the free driver (?) was already installed and it’s conflicting with the new one I am trying to install, but I just need to reboot in order to solve the conflict. So I rebooted and I was greeted by the following prompt.

This goes nowhere, it never boots into Debian. Thinking I had broken Debian, I thought to myself, no big deal, Debian had an issue anyways (see https://forums.debian.net/viewtopic.php?p=827488), I’ll try another random distro (Bazzite) see if it helps. But after installing Bazzite over Trixie, I got the following prompts at boot :

(this one is a bit blurry, it says “Verification failed: (0x1A) Security Violation”)

If I go for “Continue boot” it just cycles over and over again on these prompts. And I don’t know what to make of the other choices here.

I can see it’s related to the operation I did with the nvidia driver, but I don’t understand how the problem wasn’t solved by wiping my drive with another distro ? twice… now I have tried with Nobara as well, only to get the same prompts. How can I solve this issue ? my computer is bricked and I really hope that’s fixable. Anyone has a clue ?

Like I said, don’t hesitate to ask if there’s something I haven’t said…

Cheers,

  • brucethemoose@lemmy.world
    7·
    10 days ago

    Not the best advice but:

    • …Do you need secure boot? The absolute easiest solution would be to disable it in the BIOS, as it’s quite finicky. This is what I do.

    • When you get to the part of “enable no free repositories” in any distro to get Nvidia working, that’s code for “we don’t support Nvidia, we aren’t responsible for something breaking and you’re on your own.” Nobara is not a bad choice (as it does support Nvidia), but in general I’d recommend a distro with 1st party Nvidia support. Probably openSUSE if it’s a workstation. Long term, this is how you avoid Nvidia problems.

    Again, I’m not trying to say “you’re linuxing wrong,” but with my lack of knowledge on secure boot, I’m emphasizing my extremely poor experience of distros that do not directly prioritize Nvidia support/fixes.

    • Hadriscus@jlai.luOP
      2·
      9 days ago

      oh, but I am, lol. I am totally Linuxing wrong, I’m new to this thing, if you don’t count my clumsy forays a decade or two ago. So your advice would be to go for a distro that bundles the nvidia drivers? I’m not sure what first-party means here?

      In any case thanks for the clarification, and for the advice of disabling secureboot. As I said to a few other commenters already, it’s disabled now and the system boots again. I have lots on my plate still, but at least this part is… more or less solved. Cheers!

      • brucethemoose@lemmy.world
        2·
        9 days ago

        Yes, exactly. Specifically, I mean the Nvidia proprietary drivers are explicitly available in the repos and installed by default if detected, which is not the case on Debian apparently.

        I’d recommend openSUSE or an Arch-based distro like CachyOS, both of which put great efforts into Nvidia support in my experience.

        • Hadriscus@jlai.luOP
          1·
          9 days ago

          I heard about CachyOS from CGI peers, good words. I might try it next. Thanks again

          • brucethemoose@lemmy.world
            2·
            9 days ago

            I’ve been on Cachy (with Nvidia cards) for years, in fact the same partition/install for a long time. I don’t even mess with the system anymore; it just works.

            I have zero inclination to distro hop.

            That being said, any Arch based distro is hands on.

            • You should be vaguely familiar with your system (as in “I run KDE Wayland, I have an Nvidia card and AMD integrated graphics, I run pipewire audio and this brand of WiFi,” stuff like that).

            • When you update, you watch the console for warnings or instructions from the maintainers.

            • You read the Arch wiki, you make informed choices about what you install if you need, say, a working printer or a particular boot manager.

            Stuff is less… preconfigured and staged than other distros, but the benefit is critical mass and problems getting fixed quick, as opposed to just living with them in other distros. CachyOS (which basically sits on top of Arch) helps a lot with this preconfiguration though, as I’ve loved all the tweaks/configs they ship.

            • Hadriscus@jlai.luOP
              2·
              9 days ago

              Ok, I see. I like less hand-holding, as long as I know what I am doing a little bit. I heard how Arch was more barebones and the install process was a lot more manual. I guess I will play with it now that I have a windows-free drive sitting there…

              You mention it’s the same install, does that mean upgrades never break your system? I just read about btrfs and the possibility of making snapshots. Is it the same thing?

              • brucethemoose@lemmy.world
                1·
                9 days ago

                Fortunately CachyOS has an installer just like anything.

                It’s really not that different. “Hands on” is kinda the wrong word, as is “less preconfigured” as I described it. I think the more accurate term is “requires passive attention.”

                So in Ubuntu (back when I used it starting with Linux), it didn’t get a ton of updates outside security. It doesn’t change much. If something goes wrong, I troubleshoot and usually conclude… well, the bug is known, and something needs updating if I want it to work.

                Then what? Do I roll the old package forward manually and basically maintain my own “patch” on the system? Do I maintain some weird custom workaround/install? I did a lot of both, and it both ate a ton of time and gradually broke my “easy don’t mess with it” system.

                CachyOS is totally different. Unless a problem is my stupid fault, my troubleshooting process the past two years has been “flag if necessary, maybe roll back one version temporarily, and it gets fixed in days, if not hours”. But rarely (like less than seasonally), a package does get borked, or a text warning comes down the pipe like “we can’t automatically change this for you via pacman but you should really really change this config.”

                That’s a perfect example of how Arch expects a basic level of attentiveness from the user. Nothing hard. But more than required for, say, Windows.

                And the benefit (in my experience) is enormous.

                I don’t mean to glaze Arch/Cachy so much. Other distros are similar, and I’d recommend trying openSUSE Tumbleweed in particular. The philisophy is similar, and SUSE does an outstanding job maintaining it.

  • Brickfrog@lemmy.dbzer0.com
    5·
    10 days ago

    This probably won’t help you now (unless you decide to re-install Debian) but just for reference Debian’s wiki does have some very through documentation on the Nvidia driver installation process

    https://wiki.debian.org/NvidiaGraphicsDrivers

    Judging from your post / the wiki page, assuming you do have Secure Boot enabled it looks like you forgot to enroll the MOK before installing the Nvidia driver. The steps also mention using dracut to add a .conf to blacklist (disable) the default nouveau driver so typically that’s done before your reboot.

    PS - If you started out doing this with a fresh Trixie install would it be easy enough just to re-install and then re-do the Nvidia instructions? Plus technically if you wanted you could disable Secure Boot in your BIOS before the install and skip the extra Secure Boot configuration entirely.

    • Hadriscus@jlai.luOP
      1·
      9 days ago

      Thanks for linking to the doc. I usually rtfm, not sure why I did not have that reflex here heheh.

      Regarding the secureboot issue, I followed the instructions in the tutorial in the order they were presented to me. Maybe I did forget a step! I can’t really say now. In any case, I disabled secureboot and it boots again. However would you say I should fix whatever I did with the MOK key? I can’t tell if it’s really serious. Or can I continue using my machine in this state? I mean, with secureboot disabled? Did I break something?

      Yes indeed I will wipe everything from a live image and start over. However I will definitely try a different distro, one that bundles the drivers from the get-go, the reason is : I am trying to test my video card with Linux. I’ve been having intensifying issues and I suspect a hardware failure, but I couldn’t be sure until I used the card with Linux and it exhibits similar symptoms. So that’s what this whole thing is about.

      Thanks a lot for the help. I was feeling very distressed yesterday, it’s better now. Cheers

      • Brickfrog@lemmy.dbzer0.com
        2·
        9 days ago

        You can leave Secure Boot disabled IMO, it’s kind of up to you. Either way if you’re going to wipe and re-install then you can start over with or without Secure Boot - Just keep in mind you may need to perform extra steps if you opt to leave Secure Boot enabled.

        • Hadriscus@jlai.luOP
          2·
          9 days ago

          yea I won’t forget this episode heheheh. Thanks. I am writing this from Nobara 42. My machine is back in a working state (until I get to the crux of my issue, which is a hardware issue unfortunately). I cannot thank you enough (and the other folk). Cheers,

  • colournoun@beehaw.org
    4·
    10 days ago

    Can you turn off Secure Boot in your BIOS/EFI? That should get you booting again, and then you can figure out the MOK.

    Another thing to check is that your EFI is actually booting the Linux kernel. It could be booting the MOK enrollment program which runs only at boot time. There should be a selection in the EFI settings that mentions “next boot” or something like that.

      • colournoun@beehaw.org
        3·
        10 days ago

        Further, I think your EFI Boot Manager has a BootNext entry that is booting the MOK utility instead of the Linux shim or kernel. You should be able to remove this BootNext entry in your EFI settings.

        If you can get it booted into Linux from a bootable USB drive, you can use the “efibootmgr” program to inspect and remove the BootNext entry.

        sudo efibootmgr

        will show you all of the EFI boot entries. If the first line says BootNext, then that’s likely the problem. Note that these are not grub boot entries. The EFI has a boot list that happens before grub.

        sudo efibootmgr —delete-bootnext

        will remove the temporary BootNext entry.

        After that, make sure secure boot is disabled and you should be able to boot Linux.

    • Hadriscus@jlai.luOP
      1·
      9 days ago

      Hi, I responded to a couple other comments already to say this : thank you, I disabled secureboot and the machine boots now. I’m hoping that whatever I did with the MOK key is fixable, or at least that it won’t cause problems down the line. Would you be able to tell me? from what I’ve been able to gather it’s a means to authenticate hardware… I don’t know if I need that level of security?

      Cheers, appreciate the help a lot

      • colournoun@beehaw.org
        2·
        9 days ago

        The MOK key stuff is fixable, but it sounds like you don’t have a big need for SecureBoot in the first place. I would say leave it disabled for now.

        Also, SecureBoot is more of a way to authenticate the software that is being loaded at boot time. It could prevent someone from inserting something bad at boot time. It’s nice to have but not required.

  • Skullgrid@lemmy.world
    2·
    10 days ago

    reposting my previous comment to help troubleshooters :

    you done fucked up the secure boot settings I think. I am in no way qualified to help you.

    I don’t even understand how you can install a different OS. Work off a live USB if you even can.

    As far as I understand this is the bit you fucked up. btw, the images in the debian forum post just show “filename1.jpg” as text and don’t display. post on !/c/linux4noobs@programming.dev

    Step 2: Enroll MOK key for Secure Boot

Debian updates its kernel (minor versions) regularly for security updates and fixes. Without re-building kernel modules every time, DKMS is used, which however needs be signed for secure boot using a machine owner key (MOK).

1. First, run the command below to check if Debian was installed with UEFI boot by running the command below in terminal:

ls /sys/firmware/efi

The command tells to list the /sys/firmware/efi directory content. If it says “No such file or directory”, then you have Debian installed as legacy boot.

2. Next, run command to check if secure boot enabled:

sudo mokutil --sb-state

If both UEFI and secure boot enabled (as the screenshot below shows you), then you need to run commands below one by one to create and enroll MOK key.

3. First, run the command below to manually generate a mok key.

sudo dkms generate_mok

Run sudo apt install dkms if the dkms command not found, and set a password for the key.

4. Next, run command to import the key:

sudo mokutil --import /var/lib/dkms/mok.pub

5. Finally, reboot your computer. At next boot, it should pop-up a screen (see the screenshot below), asking to perform MOK menagement.

There, just choose to Enroll MOK -> continue -> confirm -> enter password (you set when creating the key) -> reboot.

After enabled non-free repository and enrolled MOK key, you may then run the commands below to install NVIDIA driver.

First, install the kernel headers for DKMS:

sudo apt install linux-headers-$(dpkg --print-architecture)
    • Hadriscus@jlai.luOP
      1·
      10 days ago

      The install process for Bazzite and Nobara seemed to go without a hitch, made me think I was out of the woods…

      • Skullgrid@lemmy.world
        1·
        10 days ago

        I think you need to enroll the mok key. I hope you remember the password you set when going through those steps.

        NB : I have no fucking idea on secure boot.

        • Hadriscus@jlai.luOP
          1·
          10 days ago

          Ok, I will look this up and try to understand what it means. I do remember the pass I set, it’s just my regular password. But not sure where to type it, because when I choose “enroll key from disk” it opens a file browser where I can navigate between my disks, then into the file systems… but I don’t know what I am looking for

            • Hadriscus@jlai.luOP
              1·
              10 days ago

              yes, this is what I tried to find after going back through the tutorial steps. But this file path is the Linux filesystem right? I wiped the Debian earlier this afternoon (to try Bazzite, then Nobara), I imagine this file has been wiped with it?

              • Skullgrid@lemmy.world
                1·
                10 days ago

                Oh god no. I think you’re fucked. Wait for someone who knows what the hell is going on and rephrase your problem as a secure boot issue

                • Hadriscus@jlai.luOP
                  1·
                  10 days ago

                  Mh, sounds like a bad omen… If I had to replace a part (hardware) to get it working, which one would it be?

    • Hadriscus@jlai.luOP
      2·
      8 days ago

      Thanks a lot, yea even though I understand I can do without it, it’s still somewhere in the back of my mind, unresolved… for now I’ll focus on getting my workstation up and running again (I have a graphics card failure on top of it all), but that link is safe in my bookmarks. Much appreciated !!