NVIDIA
Donate
NVIDIA - Troubleshooting and Driver Choice in Kicksecure.
Introduction
[edit]Nvidia
[1] is one of the world's leading manufacturers of graphics processing units (GPUs), used in many areas, especially those involving graphics and visual workloads such as video games and video rendering.
NVIDIA Card Drivers
[edit]Introduction
[edit]Three NVIDIA driver options are available. Nouveau is the default freedom software driver. Software rendering (Pixman) disables hardware acceleration to prioritize stability. The proprietary NVIDIA driver is non-freedom software and may offer better performance and feature support on some hardware.
Sysmaint Notice
- A If using
user-sysmaint-split: The user must boot into the sysmaint session. For details and instructions on how to do so, see user-sysmaint-split. - B If using unrestricted admin mode: This sysmaint notice does not apply. Continue with the steps below.
Select an NVIDIA driver option.
NVIDIA Freedom Software Nouveau Driver
Pronounced [nuvo], which means new in French, [2] Nouveau is freedom software: a reverse engineered driver for NVIDIA GPUs.
It is installed and activated by default in Kicksecure. This is unspecific to Kicksecure. This default is inherited from Debian and Linux because Kicksecure is based on Debian.
Stability and performance Issues: Since Nouveau is fully reverse engineered for proprietary hardware, missing features such as CUDA [3] or reduced performance [4] can be expected. For these reasons, some users prefer to use the proprietary driver.
Software Rendering (Pixman)
This chapter forces software rendering (Pixman) and disables Nouveau acceleration. This can improve stability on some NVIDIA systems at the cost of performance. Software rendering is not a separate driver. It simply disables hardware acceleration. It is listed together with other drivers since this can be an alternative to the non-freedom NVIDIA driver.
1 Ensure the proprietary NVIDIA driver is not installed.
The proprietary NVIDIA driver must be absent before continuing (for example, packages such as nvidia-driver or cuda-drivers).
2 Force software rendering in wlroots.
Open file /etc/profile.d/15_desktop-config-dist.sh in an editor with administrative ("root") rights.
1 Select your platform.
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand.
3 Open the file with root rights.
sudoedit /etc/profile.d/15_desktop-config-dist.sh
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand. - Template requirement: When using Kicksecure-Qubes, this must be done inside the Template.
3 Open the file with root rights.
sudoedit /etc/profile.d/15_desktop-config-dist.sh
4 Notes.
- Shut down Template: After applying this change, shut down the Template.
- Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
- Qubes persistence: See also Qubes Persistence
- General procedure: This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.
2 Notes.
- Example only: This is just an example. Other tools could achieve the same goal.
- Troubleshooting and alternatives: If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.
3 Open the file with root rights.
sudoedit /etc/profile.d/15_desktop-config-dist.sh
Make sure WLR_RENDERER is always set to pixman.
Append the following at the very bottom of the file.
export WLR_RENDERER='pixman'
3 Reboot.
4 Verify WLR_RENDERER setting.
echo "$WLR_RENDERER"
Expected output:
pixman
5 Boot with Nouveau acceleration disabled.
Follow the instructions in Temporary Kernel Boot Parameter Change and add the following kernel parameter:
nouveau.noaccel=1
6 Verify the kernel parameter was applied
verify the kernel parameter
cat /proc/cmdline | grep --color nouveau
Expected output:
nouveau.noaccel=1
7 Test session stability.
Use the system normally and check whether the session is stable. This approach keeps high display resolutions while enforcing software rendering, which can work around driver related rendering issues.
8 If successful, apply the kernel parameter permanently.
GRUB Permanent Configuration Changes
1 Open the GRUB user configuration file.
Open file /etc/default/grub.d/50_user.cfg in an editor with administrative ("root") rights.
1 Select your platform.
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand.
3 Open the file with root rights.
sudoedit /etc/default/grub.d/50_user.cfg
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand. - Template requirement: When using Kicksecure-Qubes, this must be done inside the Template.
3 Open the file with root rights.
sudoedit /etc/default/grub.d/50_user.cfg
4 Notes.
- Shut down Template: After applying this change, shut down the Template.
- Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
- Qubes persistence: See also Qubes Persistence
- General procedure: This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.
2 Notes.
- Example only: This is just an example. Other tools could achieve the same goal.
- Troubleshooting and alternatives: If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.
3 Open the file with root rights.
sudoedit /etc/default/grub.d/50_user.cfg
2 Add the kernel parameter.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nouveau.noaccel=1"
3 Save.
4 Regenerate GRUB configuration.
sudo update-grub
5 Reboot.
6 Verify the kernel parameter was applied.
Same as step 6 above, see verify the kernel parameter.
7 Done.
The permanent kernel parameter change has been applied.
9 Done.
Software rendering has been enabled.
NVIDIA Non-Freedom Software Proprietary Driver
The proprietary NVIDIA driver can provide better performance and feature support on some hardware, but it is non-freedom software.
You can obtain the NVIDIA driver either from the Debian repositories or from NVIDIA's own repository.
Debian Repository
Install package(s) firmware-nvidia-gsp nvidia-smi nvidia-driver nvidia-kernel-dkms following these instructions:
1 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
2 Update the package lists and upgrade the system.
sudo apt update && sudo apt full-upgrade
3 Install the firmware-nvidia-gsp nvidia-smi nvidia-driver nvidia-kernel-dkms package(s).
Using apt command line --no-install-recommends option is in most cases optional.
sudo apt install --no-install-recommends firmware-nvidia-gsp nvidia-smi nvidia-driver nvidia-kernel-dkms
4 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.
5 Done.
The procedure of installing package(s) firmware-nvidia-gsp nvidia-smi nvidia-driver nvidia-kernel-dkms is complete.
More details can be found on the Debian wiki page NvidiaGraphicsDrivers.
- Secure Boot: To make the NVIDIA driver work after installation, Secure Boot keys must be re-enrolled. See Secure Boot DKMS Signing Key Enrollment.
NVIDIA Repository
Security warning: Adding a third-party repository and/or installing third-party software allows the vendor to replace any software on your system, including but not limited to the installation of malware, file deletion, and data harvesting. Proceed at your own risk! See also Foreign Sources for further information. For greater safety, users adding third-party repositories should always use Multiple Kicksecure to compartmentalize VMs with additional software.
Documentation in the Kicksecure wiki provides guidance on adding third-party software from various upstream repositories. This is especially useful since upstream often includes generic instructions for different Linux distributions, which may be complex for users to follow. Additionally, documentation in Kicksecure usually places a higher emphasis on security and verifying digital software signatures.
The instructions provided here serve as a "translation layer" from upstream documentation to Kicksecure, offering assistance in most scenarios. Nevertheless, it's important to recognize that upstream repositories and software may change over time. Consequently, the documentation on this wiki might require occasional updates, such as revised signing key fingerprints, to remain current and accurate.
Please note, this is a general wiki template and may not apply to all upstream documentation scenarios.
Users encountering issues, such as signing key problems, are advised to follow the Self Support First Policy and engage in Generic Bug Reproduction. This involves attempting to replicate the issue on Debian trixie, and contacting upstream directly if the issue can be reproduced, as such problems are likely unspecific to Kicksecure. In most cases, Kicksecure is not responsible for, nor capable of resolving, issues stemming from third-party software.
For further information, refer to Introduction, User Expectations - What Documentation Is and What It Is Not.
Should the user encounter bugs related to third-party software, it is advisable to report these issues to the respective upstream projects. Additionally, users are encouraged to share links to upstream bug reports in the Kicksecure forums and/or make edits to this wiki page. For example, if there are outdated links or key fingerprints that need updating, please feel free to make the necessary changes. Contributions aimed at maintaining the accuracy and currency of information are highly valued. These updates not only improve the quality of the wiki but also serve as a useful resource for other users.
The Kicksecure wiki is an open platform where everyone is welcome to contribute improvements and edits, with or without an account. Edits to this wiki are subject to moderation, so contributors should not worry about making mistakes. Your edits will be reviewed before being made public, ensuring the integrity and accuracy of the information provided.
1 Add the NVIDIA signing key. [5]
To add the signing key, follow steps 1 to 4.
1 Securely download the key.
Select your platform.
Kicksecure
If you are using Kicksecure (kicksecure), run.
scurl-download https://developer.download.nvidia.com/compute/cuda/repos/debian13/x86_64/8793F200.pub
2 Display the key's fingerprint.
Optional for better security. If you are interested, click on Expand on the right.
gpg --keyid-format long --import --import-options show-only --with-fingerprint 8793F200.pub
Verify the output.
- Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
- Optional, not required: Digital signatures are optional and not mandatory for using Kicksecure, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
- Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here: Verifying Software Signatures
The most important check is confirming the key fingerprint exactly matches the output below. [9]
0218 2E60 104F CDC2 6EAE 1B85 97A5 D4CB 8793 F200
Warning:
Do not continue if the fingerprint does not match -- this risks using infected or erroneous files! The whole point of verification is to confirm file integrity.
3 Copy the signing key to the APT keyring folder. [10]
sudo cp 8793F200.pub /usr/share/keyrings/cuda-archive-keyring.gpg
4 Adjust permissions on the signing key. [11]
sudo chmod 0644 /usr/share/keyrings/cuda-archive-keyring.gpg
2 Add the NVIDIA repository entry.
sudo overwrite /etc/apt/sources.list.d/nvidia.sources "Types: deb URIs: tor+https://developer.download.nvidia.com/compute/cuda/repos/debian13/x86_64/ Suites: / Enabled: yes Signed-By: /usr/share/keyrings/cuda-archive-keyring.gpg"
3 Install the NVIDIA driver:
Install package(s) cuda-drivers. Follow steps 1 to 3.
1 Update the package lists and upgrade the system.
sudo apt update && sudo apt full-upgrade
2 Install the cuda-drivers package(s).
Using apt command line --no-install-recommends option is in most cases optional.
sudo apt install --no-install-recommends cuda-drivers
3 Done.
The procedure of installing package(s) cuda-drivers is complete.
4 Secure Boot.
To make the NVIDIA driver work after installation, Secure Boot keys must be re-enrolled. See Secure Boot DKMS Signing Key Enrollment.
Check NVIDIA Functionality
To check whether the NVIDIA driver is functional, run:
sudo nvidia-smi
Issues
[edit]Common Issues
[edit]Security
[edit]Whether you use the freedom software driver or the proprietary one, both add a large attack surface. Make sure you truly need a GPU for the work you are doing.
Specific Issues
[edit]Sudden logout
[edit]Because Nouveau runs by default in Kicksecure (the Debian default), issues may occur at any time. A recent example is a sudden black login screen caused by Nouveau GSP crashing and terminating labwc, which is used in lxqt-wayland [12].
Symptoms
[edit]If you check your journalctl log of your previous boot, has the following entries:
localhost kernel: nouveau 0000:01:00.0: gsp: mmu fault queued localhost kernel: nouveau 0000:01:00.0: gsp: rc engn:00000001 chid:16 type:31 scope:1 part:233 localhost kernel: nouveau 0000:01:00.0: fifo:c00000:0002:0010:[labwc[2244]] errored - disabling channel localhost kernel: nouveau 0000:01:00.0: labwc[2244]: channel 16 killed!
Solutions
[edit]- Driver choice: Choose one of the following solutions depending on whether you want to keep using Nouveau, switch to the proprietary driver, or disable Nouveau entirely.
- Hardware dependent: Available solutions depend on hardware configuration.
- Prerequisite knowledge:
- What is an iGPU: An integrated GPU (iGPU) is a graphics processor integrated into the CPU package or chipset. It often provides basic display output and power efficient graphics without requiring a separate graphics card.
- What is a dGPU: A discrete GPU (dGPU) is a separate graphics processor, such as a dedicated NVIDIA graphics card. Some systems use both (hybrid graphics): the iGPU can drive the laptop's internal display while the dGPU is used for higher performance rendering, or the dGPU may directly drive some or all display outputs.
- What is an iGPU: An integrated GPU (iGPU)
Force software rendering (Pixman)
Follow the instructions in the chapter Software Rendering (Pixman). This disables Nouveau acceleration and forces software rendering, which can work around Nouveau related rendering issues while keeping high display resolutions.
Notes and limitations:
Software rendering can be significantly slower than hardware acceleration. Expect increased CPU usage and reduced responsiveness, especially for high resolution displays, video playback, games, or 3D workloads.
Some applications and desktop features may not work or may be degraded when hardware acceleration is disabled. If this option resolves the crash but causes unacceptable performance issues, consider the proprietary NVIDIA driver instead.
In addition, some systems have an integrated GPU (iGPU) and a discrete GPU (dGPU). On such systems, disabling acceleration or disabling drivers can affect which GPU is used for rendering and display output.
Install NVIDIA Proprietary
You can install the proprietary NVIDIA driver as described above. This will disable Nouveau by default and use the proprietary driver instead, which does not suffer from this issue.
Disable Nouveau
If you know you will not use your graphics card, then disabling Nouveau from running is the best option for stability (and also for security and software freedom, if the only alternative to make it work is a proprietary driver).
Warning: Disabling Nouveau can result in no graphical output on some systems.
This risk is higher on systems where the display outputs are wired to the NVIDIA GPU, or on systems without a working integrated GPU (for example, no iGPU, or the iGPU is disabled in firmware, or otherwise non-functioning).
If the system's display output is provided by the NVIDIA dGPU, then disabling Nouveau (without installing the proprietary NVIDIA driver) can leave the system without a working graphics driver, resulting in a black screen or only a text console.
See forum discussion:
NVIDIA as the only graphics output
CPUs without integrated graphics are common
If you are unsure, prefer Software Rendering (Pixman) or the proprietary NVIDIA driver first. Ensure you have a recovery method available (for example, access to a TTY) before proceeding.
1 Block Nouveau from loading.
sudo overwrite /etc/modprobe.d/blacklist-nouveau.conf "blacklist nouveau options nouveau modeset=0"
2 Regenerate dracut initramfs.
sudo dracut -f
3 Reboot.
sudo reboot
4 Done.
Nouveau has been blacklisted and will no longer load.
NVIDIA and Freedom Software
[edit]- A Freedom software: There is a freedom software driver for many NVIDIA GPUs: Nouveau. Nouveau is a reverse engineered driver because NVIDIA provides limited public hardware documentation. This lack of documentation makes it harder for the freedom software community to implement and maintain full feature support and performance (compared to vendors with more public documentation). [13]
- B Non-freedom: NVIDIA hardware is proprietary (non-freedom). NVIDIA's official driver and much of its user space stack are also proprietary (non-freedom). This is often viewed as unfriendly to free/open-source software, and has led to public criticism. Linus Torvalds cursed NVIDIA in a well known talk at Aalto University (
Aalto Talk with Linus Torvalds [Full-length]
).
Footnotes
[edit]- ↑
NVIDIA history: NVIDIA corporate timeline
- ↑
https://nouveau.freedesktop.org/
- ↑
https://en.wikipedia.org/wiki/Nouveau_(software)#CUDA
- ↑
https://en.wikipedia.org/wiki/Nouveau_(software)#Re-clocking
- ↑
https://docs.nvidia.com/datacenter/tesla/driver-installation-guide/debian.html
- ↑
Using Qubes UpdatesProxy (
http://127.0.0.1:8082/) because Qubes Templates are non-networked by Qubes default and therefore require UpdatesProxy for connectivity. (APT in Qubes Templates is configured to use UpdatesProxy by Qubes default.) - ↑
Even more secure would be to download the key Disposable and then
qvm-copy it to the Qubes Template because this would avoid curl's attack surface but this would also result in even more complicated instructions. - ↑
Even more secure would be to display the key in another Disposable because this would protect the Template from
curl's andgpg's attack surface but this would also result in even more complicated instructions. - ↑ Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
- ↑
https://forums.whonix.org/t/apt-repository-signing-keys-per-apt-sources-list-signed-by/12302
- ↑
This is necessary because the umask set in Kicksecure will result to the file permissions of the copied file being set to
0640, which will prevent them from being read by non-root users. - ↑ https://forums.kicksecure.com/t/black-login-screen-crash-due-to-nouveau-gsp-killing-labwc/1556
- ↑
https://en.wikipedia.org/wiki/Nouveau_(software)#Tools
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2026 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!