Setting up Ubuntu 18.04 LTS Bionic with nvidia drivers and secure boot enabled on HP Z840 workstation
We recently got a new computer in the lab, an HP Z840 with two NVIDIA Geforce RTX 2080 Ti cards. Hardware issues with connecting the HP power supply to the graphics cards aside, installing Linux on this computer was a pain in the ass because of the secure boot setup. This tutorial might work for other computers which require secure boot.
The issue
Running Ubuntu 18.04.3 from a USB stick failed in the default configuration with secure boot enabled, after the booting process the display crashed and only smushed and squeezed pixels were shown. It always happened when the nouveau driver was loaded, so I assume the driver was not properly signed or incompatible to the RTX 2080 Ti. But when I disable secure boot and enable legacy mode in BIOS, the ssd was no longer found by the BIOS, thus no bootable device.
The solution
Rather complicated, we need to disable secure boot to install ubuntu, then install and sign the latest nvidia drivers before switching secure boot back on.
The first step is to disable secure boot. Start the workstation and hit ESC when the hp logo appears. Go to the BIOS setup and switch the secure boot to “secure boot disabled, legacy mode enabled” and then make sure USB is the first device in the boot order. Reboot and start the Ubuntu live stick.
Now you can install Ubuntu as usual. Once the installation is completed we need to install the latest nvidia driver, sign the driver and add the signature used to sign the driver to the secure boot firmware. From within the live stick environment you can access the fresh installation with the chroot command. Open a terminal and run the following commands (replace /dev/sda1 by your hard disk device name)
sudo mount /dev/sda1 /mnt
sudo mount --bind /dev /mnt/dev
sudo mount --bind /proc /mnt/proc
sudo mount --bind /sys /mnt/sys
sudo chroot /mnt
apt update
apt upgradeSource: https://help.ubuntu.com/community/LiveCdRecovery
If you don’t get a network connection the nameserver entries might be missing, just add nameserver 208.67.222.222nameserver 208.67.220.220
to your /etc/resolv.conf configuration.
Next you need to download the latest nvidia driver and store it somewhere in the chroot environment, e.g. /mnt/tmp/. The usually recommended ppa with the nvidia drivers did not work for me, as it crashed the system similar to the nouveau driver. I guess the driver signature is not imported correctly, so I decided to install and sign the drivers manually.
Run the nvidia installer and make sure to not enable DKMS, as the automatic build does not support driver signing. When asked select yes for signing the drivers and note the location of the signature file. After the installation is completed run the following command to add the signature to the UEFI firmware: sudo mokutil --import /usr/share/nvidia/<signature filename>.der
You will be prompted for a password, you will need this password after the reboot to complete the installation.
Now reboot, remove the USB stick and enter the BIOS setup. Switch back from secure boot disabled to secure boot enabled and let the computer boot from your ssd. A blue screen should appear for the key management. Select install key and run MOK to install the keys. You will be prompted for the previously set password and then the computer will reboot.
If all went well your Ubuntu should now boot up with the nvidia drivers successfully loaded. Open a terminal and run nvidia-smi to check for your devices. If you get an error message then the signature failed and the driver could not be loaded. Repeat the previous steps and check if you missed an error message somewhere. I hope this helps some people to get their Ubuntu up and running faster.
