Linux Cookbooks

Eric Lawler

December 24, 2019

Filed under “

I am forever losing random blog posts that explain the mysterious inner workings of Advanced Linux Components: udev, kmod, UEFI kernel mod signing, etc.

Rather than continue to accrue bookmarks that rot over time, I’m going to start writing down what I’ve learned, so I can reference it on a domain that won’t disappear in 3 years…

Installing nVidia drivers + Optimus in Fedora UEFI secure boot

Optimus is nVidia’s tech for switching loads from the lame-o built-in Intel GPUiGPU, for integrated to the beefy, discrete nVidia GPUeGPU, for, uh, not-the-intel-one in your workstation-y, game-y laptops. They have A New Thing now they call PRIME Render Offload that does High-Level Magic to render things on the beefy eGPU then feed it to the iGPU for display in the same X session.

nVidia added Linux support for PRIME in early 2019 or so, judging from the dates on internet comment threads. Fedora 31 supports all the patches to the X11 upstream natively–one of many reasons that Fedora and Arch are the only Linux distributions worth installing. And, surprisingly, RPM Fusion has a functioning kmod package for the nVidia drivers that’s new enough to support PRIME. Convenient!


  1. dnf install akmod-nvidia
  2. pgrep kmod–wait for the module to finish compiling before doing anything else, sheesh.
  3. You already added your 509 DER sign-y keysWait, you do have 509 DER sign-y keys, right? No? Then, sheesh, do this: openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj “/CN=Eric Lawler Gave Me This Script and I Ran It Without Changing Any Values/” to the UEFI MOK, right? If not:
    1. mokutil --import your-public-key.der
    2. Give mokutil a nice password
    3. Reboot your machine
    4. Tell the lovely BIOS blue screen you want to add a new key. You should choose View key #0 to ensure that’s the one you added. Is it good through 2119? It probably should be. You don’t want your extra kernel modules to stop working next century, right?
    5. ADD THE KEY. You’ll have to enter your password from step ii (pronounced aiai).
    6. And that’s it. When you boot, you can sign things with that MOK key.
  4. Sign all the nVidia kernel modules with your DER key. You’ll have to do this every time you update the nVidia drivers or install a new kernel. Same as VirtualBox. I have a simple sh script:
KERNEL=$(uname -r)

echo 'Signing kernel modules for nvidia...'
for i in /usr/lib/modules/$KERNEL/extra/nvidia/*ko.xz; do
  echo "...signing $i"
  sudo /usr/src/kernels/$KERNEL/scripts/sign-file sha256 my-private-key.priv my-public-key.der "$i";
echo 'Starting kernel modules'
sudo modprobe -v nvidia

…except that, of course, the kernel modules can’t start while nouveau is loaded. So reboot one more time after the first install to be running with nVidia’s drivers.

How to use it?

To use your laptop’s beefy nVidia GPU, append this environment string to whatever you’re running: __NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia [program]

Steam launchers can be modified like so: __NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia %command%

Signing VirtualBox drivers

  1. Add a new MOK as in the nVidia instructions above.
  2. Find your driver:
    • updatedb && locate vboxdrv …or
    • modinfo -n vboxdrv
  3. Sign it. (This is the path from the RPM Fusion repo.)
KERNEL=$(uname -r)

echo 'Signing kernel modules for VirtualBox...'
for i in /lib/modules/$KERNEL/extra/VirtualBox/*ko; do
  echo "...signing $i"
  sudo /usr/src/kernels/$KERNEL/scripts/sign-file sha256 my-private-key.priv my-public-key.der "$i";
echo 'Starting kernel modules'
sudo modprobe -v vboxdrv

Remapping caps lock to backspace, 2019 edition

This one’s a real mess, but I’m too lazy to type it out now. I’m trusting that this dangling appendage will embarrass shame me into completing it, since the new Ask Fedora is absolutely, 100% useless and all the old Ask Fedora content (now rebranded as will vanish soon, including Ahmad Samir’s ridiculously useful answer to my udev question from 2013.

tldr? Dig into the udev Readmes/usr/lib/udev/hwdb.d/60-keyboard.hwdb hiding on your system to learn all the udev utilities to run and monitor output while poking keys on your keyboard. Then you’ll suss out the manufacturer specific serial numbers/device IDs you can use to run rules or straight-up remap the hardware, as I do.

Some of the the data for identifying keyboards is hidden in the evtest command’s output. The generic USB keyboard rules are:

evdev:name:<input device name>:phys:<phys>:ev:<ev>:dmi:bvn*:bvr*:bd*:svn<vendor>:pn*

When you start evtest and choose your keyboard, you’ll see this printed:

Input driver version is 1.0.1
Input device ID: bus 0x11 vendor 0x1 product 0x1 version 0xab41
Input device name: "AT Translated Set 2 keyboard"

Which you can translate to: evdev:input:b0011v0001p0001eAB41

AT KeyboardsHonestly, I’m not sure what this type of input device is. PS/2? The laptop keyboard is an AT device. can be identified using the data from modalias:

[root@kohlenstoff ~]# cat /sys/class/dmi/id/modalias

Here is my cookbook, for the next computer I purchase. Plop this in /lib/udev/hwdb.d/90-custom-keyboard.hwdb, in Linux kernel 5.X+ and this will cause the kernel to translate all slaps of the caps lock key, useless invention that it is, as a backspace key to every single application on your system: In X and Wayland and Virtual Terminals alike.

# Dell XPS 15
# Exact match: evdev:input:b0011v0001p0001eAB41*
# All Dell keyboards:

# generic Logitech

# Microsoft Sculpt Ergo Keyboard

# Microsoft Natural Ergonomic Keyboard 4000

Don’t Panic

When you upgrade your system, these rules will appear to stop working. Before you grind your molars to dust and embark on an hour-long update to this blog post, just remember that systemd updates its rules on a schedule that is vague.

Post-update to systemd / your OS, follow the instructions given in the 60-keyboard rules file to remind Linux that Caps Lock is dead to you:

[root@kohlenstoff ~]# systemd-hwdb update
[root@kohlenstoff ~]# udevadm trigger --verbose --sysname-match="event*"
[long list of events that changed printed here]
^-- welcome back, double backspace!

Merry Christmas.

Finalized at 5:51 PM. Tidied up on October 26, 2020 @ 10:53 AM.

Tagged with reference and how-to.