Posted  by  admin

Nvidia Driver Download Archive

Table of Contents

Downloads; Training; Search. Join; Downloads; Training; Ecosystem; Forums; CUDA Toolkit Archive. Home; CUDA Toolkit Archive. Previous releases of the CUDA Toolkit, GPU Computing SDK, documentation and developer drivers can be found using the links below. Please select the release you want from the list below, and be sure to check www.nvidia.com. Archival project for NVIDIA drivers on various platforms. An icon used to represent a menu that can be toggled by interacting with this icon.

Before youBegin
Starting theInstaller
Installing the KernelInterface
Registering the NVIDIAKernel Module with DKMS
Signing the NVIDIA KernelModule
Adding Precompiled KernelInterfaces to the Installer Package
Other Features of theInstaller

This chapter provides instructions for installing the NVIDIAdriver. Note that after installation, but prior to using thedriver, you must complete the steps described in Chapter 6,Configuring X for the NVIDIA Driver. Additional detailsthat may be helpful for the new Linux user are provided in Appendix I,Tips for New Linux Users.

Before you begin the installation, exit the X server andterminate all OpenGL applications (note that it is possible thatsome OpenGL applications persist even after the X server hasstopped). You should also set the default run level on your systemsuch that it will boot to a VGA console, and not directly to X.Doing so will make it easier to recover if there is a problemduring the installation process. See Appendix I,Tips for New Linux Users for details.

If you're installing on a system that is set up to use theNouveau driver, then you should first disable it before attemptingto install the NVIDIA driver. See Q & A 8.1,“Interaction with the Nouveau Driver” fordetails.

Nvidia

After you have downloaded the file NVIDIA-Linux-x86_64-415.13.run, change tothe directory containing the downloaded file, and as theroot user run the executable:

The .run file is a self-extractingarchive. When executed, it extracts the contents of the archive andruns the contained nvidia-installerutility, which provides an interactive interface to walk youthrough the installation.

nvidia-installer will also installitself to /usr/bin/nvidia-installer,which may be used at some later time to uninstall drivers,auto-download updated drivers, etc. The use of this utility isdetailed later in this chapter.

You may also supply command line options to the .run file. Some of the more common options arelisted below.

Common .runOptions

--info

Print embedded info about the .runfile and exit.

--check

Check integrity of the archive and exit.

--extract-only
Experience

Extract the contents of ./NVIDIA-Linux-x86_64-415.13.run, but do notrun nvidia-installer.

--help

Print usage information for the common commandline options andexit.

--advanced-options

Print usage information for common command line options as wellas the advanced options, and then exit.

The NVIDIA kernel module has a kernel interface layer that mustbe compiled specifically for each kernel. NVIDIA distributes thesource code to this kernel interface layer.

When the installer is run, it will check your system for therequired kernel sources and compile the kernel interface. You musthave the source code for your kernel installed for compilation towork. On most systems, this means that you will need to locate andinstall the correct kernel-source, kernel-headers, or kernel-develpackage; on some distributions, no additional packages arerequired.

After the correct kernel interface has been compiled, the kernelinterface will be linked with the closed-source portion of theNVIDIA kernel module. This requires that you have a linkerinstalled on your system. The linker, usually /usr/bin/ld, is part of the binutils package. Youmust have a linker installed prior to installing the NVIDIAdriver.

The installer will check for the presence of DKMS on yoursystem. If DKMS is found, you will be given the option ofregistering the kernel module with DKMS, and using the DKMSinfrastructure to build and install the kernel module. On mostsystems with DKMS, DKMS will take care of automatically rebuildingregistered kernel modules when installing a different Linuxkernel.

If nvidia-installer is unable toinstall the kernel module through DKMS, the installation will beaborted and no kernel module will be installed. If this happens,installation should be attempted again, without the DKMSoption.

Note that versions of nvidia-installer shipped with drivers beforerelease 304 do not interact with DKMS. If you choose to registerthe NVIDIA kernel module with DKMS, please ensure that the moduleis removed from the DKMS database before using a non-DKMS awareversion of nvidia-installer toinstall an older driver; otherwise, module source files may bedeleted without first unregistering the module, potentially leavingthe DKMS database in an inconsistent state. Running nvidia-uninstall before installing a driver usingan older installer will invoke the correct dkms remove command to clean upthe installation.

Due to the lack of secure storage for private keys that can beutilized by automated processes such as DKMS, it is not possible touse DKMS in conjunction with the module signing support built intonvidia-installer.

Some kernels may require that kernel modules becryptographically signed by a key trusted by the kernel in order tobe loaded. In particular, many distributions require modules to besigned when loaded into kernels running on UEFI systems with SecureBoot enabled. nvidia-installerincludes support for signing the kernel module before installation,to ensure that it can be loaded on such systems. Note that not allUEFI systems have Secure Boot enabled, and not all kernels runningon UEFI Secure Boot systems will require signed kernel modules, soif you are uncertain about whether your system requires signedkernel modules, you may try installing the driver without signingthe kernel module, to see if the unsigned kernel module can beloaded.

In order to sign the kernel module, you will need a privatesigning key, and an X.509 certificate for the corresponding publickey. The X.509 certificate must be trusted by the kernel before themodule can be loaded: we recommend ensuring that the signing key betrusted before beginning the driver installation, so that the newlysigned module can be used immediately. If you do not already have akey pair suitable for module signing use, you must generate one.Please consult your distribution's documentation for details on thetypes of keys suitable for module signing, and how to generatethem. nvidia-installer can generate akey pair for you at install time, but it is preferable to have akey pair already generated and trusted by the kernel beforeinstallation begins.

Once you have a key pair ready, you can use that key pair innvidia-installer by passing the keysto the installer on the command line with the --module-signing-secret-key and --module-signing-public-key options. As an example,it is possible to install the driver with a signed kernel module insilent mode (i.e., non-interactively) by running:

In the example above, signing.keyand signing.x509 are a private/publickey pair, and the public key is already enrolled in one of thekernel's trusted module signing key sources.

On UEFI systems with secure boot enabled, nvidia-installer willpresent a series of interactive prompts to guide users through themodule signing process. As an alternative to setting the key pathson the command line, the paths can be provided interactively inresponse to the prompts. These prompts will also appear whenbuilding the NVIDIA kernel module against a kernel which hasCONFIG_MODULE_SIG_FORCE enabled in its configuration, or if theinstaller is run in expert mode.

Key Sources Trusted by the Kernel

In order to load a kernel module into a kernel that requiresmodule signatures, the module must be signed by a key that thekernel trusts. There are several sources that a kernel may drawupon to build its pool of trusted keys. If you have generated a keypair, but it is not yet trusted by your kernel, you must add acertificate for your public key to a trusted key source before itcan be used to verify signatures of signed kernel modules. Thesetrusted sources include:

Certificates embedded into the kernelimage

On kernels with CONFIG_MODULE_SIGset, a certificate for the public key used to sign the in-treekernel modules is embedded, along with any additional modulesigning certificates provided at build time, into the kernel image.Modules signed by the private keys that correspond to the embeddedpublic key certificates will be trusted by the kernel.

Since the keys are embedded at build time, the only way to add anew public key is to build a new kernel. On UEFI systems withSecure Boot enabled, the kernel image will, in turn, need to besigned by a key that is trusted by the bootloader, so usersbuilding their own kernels with custom embedded keys should have aplan for making sure that the bootloader will load the newkernel.

Certificates stored in the UEFI firmwaredatabase

On kernels with CONFIG_MODULE_SIG_UEFI, in addition to anycertificates embedded into the kernel image, the kernel can usecertificates stored in the db,KEK, or PK databases of the computer's UEFI firmware toverify the signatures of kernel modules, as long as they are not inthe UEFI dbx blacklist.

Any user who holds the private key for the Secure BootPK, or any of the keys in theKEK list should be able to add newkeys that can be used by a kernel with CONFIG_MODULE_SIG_UEFI, and any user with physicalaccess to the computer should be able to delete any existing SecureBoot keys, and install his or her own keys instead. Please consultthe documentation for your UEFI-based computer system for detailson how to manage the UEFI Secure Boot keys.

Certificates stored in a supplementary keydatabase

Some distributions include utilities that allow for the securestorage and management of cryptographic keys in a database that isseparate from the kernel's built-in key list, and the key lists inthe UEFI firmware. A prominent example is the MOK (Machine OwnerKey) database used by some versions of the shim bootloader, and the associated managementutilities, mokutil and MokManager.

Such a system allows users to enroll additional keys without theneed to build a new kernel or manage the UEFI Secure Boot keys.Please consult your distribution's documentation for details onwhether such a supplementary key database is available, and if so,how to manage its keys.

Generating Signing Keys in nvidia-installer

nvidia-installer can generate keysthat can be used for module signing, if existing keys are notreadily available. Note that a module signed by a newly generatedkey cannot be loaded into a kernel that requires signed modulesuntil its key is trusted, and when such a module is installed onsuch a system, the installed driver will not be immediately usable,even if the installation was successful.

When nvidia-installer generates akey pair and uses it to sign a kernel module, an X.509 certificatecontaining the public key will be installed to disk, so that it canbe added to one of the kernel's trusted key sources. nvidia-installer will report the location of theinstalled certificate: make a note of this location, and of thecertificate's SHA1 fingerprint, so that you will be able to enrollthe certificate and verify that it is correct, after theinstallation is finished.

By default, nvidia-installer willattempt to securely delete the generated private key withshred -u after the module is signed.This is to prevent the key from being exploited to sign a maliciouskernel module, but it also means that the same key can't be usedagain to install a different driver, or even to install the samedriver on a different kernel. nvidia-installer can optionally install theprivate signing key to disk, as it does with the publiccertificate, so that the key pair can be reused in the future.

Nvidia Driver Download Windows 7

If you elect to install the private key, please make sure thatappropriate precautions are taken to ensure that it cannot bestolen. Some examples of precautions you may wish to take:

Prevent the key from being read by anybodywithout physical access to the computer

In general, physical access is required to install Secure Bootkeys, including keys managed outside of the standard UEFI keydatabases, to prevent attackers who have remotely compromised thesecurity of the operating system from installing malicious bootcode. If a trusted key is available to remote users, even root,then it will be possible for an attacker to sign arbitrary kernelmodules without first having physical access, making the systemless secure.

One way to ensure that the key is not available to remote usersis to keep it on a removable storage medium, which is disconnectedfrom the computer except when signing modules.

Do not store the unencrypted privatekey

Encrypting the private key can add an extra layer of security:the key will not be useful for signing modules unless it can besuccessfully decrypted, first. Make sure not to store unencryptedcopies of the key on persistent storage: either use volatilestorage (e.g. a RAM disk), or securely delete any unencryptedcopies of the key when not in use (e.g. using shred instead of rm). Note that using shred may not be sufficient to fully purge datafrom some storage devices, in particular, some types of solid statestorage.

Alternatives to the Installer's Module Signing Support

It is possible to load the NVIDIA kernel module on a system thatrequires signed modules, without using the installer's modulesigning support. Depending on your particular use case, you mayfind one of these alternatives more suitable than signing themodule with nvidia-installer:

Disable UEFI Secure Boot, ifapplicable

On some kernels, a requirement for signed modules is onlyenforced when booted on a UEFI system with Secure Boot enabled.Some users of such kernels may find it more convenient to disableSecure Boot; however, note that this will reduce the security ofyour system by making it easier for malicious users to installpotentially harmful boot code, kernels, or kernel modules.

Use a kernel that doesn't require signedmodules

The kernel can be configured not to check module signatures, orto check module signatures, but allow modules without a trustedsignature to be loaded, anyway. Installing a kernel configured insuch a way will allow the installation of unsigned modules. Notethat on Secure Boot systems, you will still need to ensure that thekernel be signed with a key trusted by the bootloader and/or bootfirmware, and that a kernel that doesn't enforce module signatureverification may be slightly less secure than one that does.

AddingPrecompiled Kernel Interfaces to the Installer Package

When nvidia-installer runs, itsearches for a pre-compiled kernel interface layer for the targetkernel: if one is found, then the complete kernel module can beproduced by linking the precompiled interface with nv-kernel.o, instead of needing to compile thekernel interface on the target system. nvidia-installer includes a feature which allowsusers to add a precompiled interface to the installer package. Thisis useful in many use cases; for example, an administrator of alarge group of similarly configured computers can prepare aninstaller package with a precompiled interface for the kernelrunning on those computers, then deploy the customized installer,which will be able to install the NVIDIA kernel module withoutneeding to have the kernel development headers or a compilerinstalled on the target systems. (A linker is still required.)

To use this feature, simply invoke the .run installer package with the --add-this-kernel option; e.g.

This will unpack NVIDIA-Linux-x86_64-415.13.run, compile akernel interface layer for the currently running kernel (use the--kernel-source-path and --kernel-output-path options to specify a targetkernel other than the currently running one), and create a newinstaller package with the kernel interface layer added.

Download Older Geforce Drivers

Administrators of large groups of similarly configured computersthat are configured to require trusted signatures in order to loadkernel modules may find this feature especially useful whencombined with the built-in support for module signing innvidia-installer. To package a .runfile with a precompiled kernel interface layer, plus a detachedmodule signature for the linked module, just use the --module-signing-secret-key and --module-signing-public-key options alongside the--add-this-kernel option. The resultingpackage, besides being installable without kernel headers or acompiler on the target system, has the added benefit of being ableto produce a signed module without needing access to the privatekey on the install target system. Note that the detached signaturewill only be valid if the result of linking the precompiledinterface with nv-kernel.o on thetarget system is exactly the same as the result of linking thosetwo files on the system that was used to create the custominstaller. To ensure optimal compatibility, the linker used on boththe package preparation system and the install target system shouldbe the same.

Without options, the .run fileexecutes the installer after unpacking it. The installer can be runas a separate step in the process, or can be run at a later time toget updates, etc. Some of the more important commandline options ofnvidia-installer are:

nvidia-installeroptions

--uninstall

During installation, the installer will make backups of anyconflicting files and record the installation of new files. Theuninstall option undoes an install, restoring the system to itspre-install state.

--ui=none

The installer uses an ncurses-based user interface if it is ableto locate the correct ncurses library. Otherwise, it will fall backto a simple commandline user interface. This option disables theuse of the ncurses library.