Unsigned NVIDIA driver won't load with Secure Boot enabled - Debian 10 Buster

I have an ACER AN515-51 gaming laptop with these specs:

  • Integrated GPU: 7th Generation Intel Core i5-7300HQ Processor (Up to 2.5 GHz)
  • Dedicated GPU: NVIDIA GeForce GTX 1050 Ti with 4 GB of dedicated GDDR5 VRAM
  • Memory: 8GB DDR4 RAM
  • 256GB Intel SSD


I just installed Debian 10.4 Buster with Cinnamon. It’s a dual boot machine with Windows 10 which came pre-installed. UEFI/Secure Boot is enabled. In order to fix a freezing issue whenever I rebooted/shut down through GUI or opened Firefox, I disabled nouveau kernel drivers. This fixed the freezing issue. However, I still have other issues:

  1. When I click on NVIDIA X Server Settings, it won’t launch and nothing happens.
  2. My frame rate is about 50 FPS which is unacceptable for playing modern games. This is because I’m now using the Intel iGPU after disabling the nouveau kernel drivers.

I updated my kernel from 4.19.0-9-amd64 to 5.5.0-0.bpo.2-amd64 and also installed the matching kernel header files. Then I tried to install NVIDIA proprietary drivers from the Debian repository (buster-backports) and also set up NVIDIA Optimus. However, after I tried installing the drivers, I realized that the drivers wouldn’t load because when Secure Boot is enabled, Debian activates “lockdown” mode. Debian won’t load kernel modules that are not signed by a trusted key, so this will block the unsigned NVIDIA proprietary drivers. Some people have the option of disabling one of the GPU’s in their BIOS, but I don’t have this option in my BIOS.

This seems to leave me with the following options to install/load the drivers:

  1. Disable Secure Boot

I prefer to leave Secure Boot enabled but it does make things simpler if I disable it because then I can install the unsigned drivers from the Debian repository without having to create my own signing key. Also, I won’t have to reinstall the drivers every time I update my kernel.

  1. Enable Secure Boot and create my own signing key for modules and add its certificate to the trusted list using MOK. Then install NVIDIA drivers directly from the NVIDIA website.

However, I will have to manually install the drivers every time I upgrade my kernel.

  1. Enable Secure Boot and create my own signing key for modules, add its certificate to the trusted list, and install NVIDIA drivers from the Debian repository.

Is Option 3 even possible? If so, how would I do it? Also, I know that if I disable Secure Boot and install the drivers from the Debian repository, I won’t have to install them again after upgrading my kernel. But what if I enable Secure Boot? Will I need to manually install the drivers again if I upgrade my kernel? If I do, then I might as well install the 390 drivers from the NVIDIA website because the whole point of installing from the Debian repository is so that I don’t have to reinstall the drivers when I upgrade my kernel.

After installing the drivers, I can choose these options to set up NVIDIA Optimus:

1a. PRIME and PRIME synchronization

1b. nvidia-xrun

1c. Bumblebee

This step will be another adventure. I’m open to suggestions as to what people prefer. PRIME and nvidia-xrun give better performance than Bumblebee, and Bumblebee does not support Vulkan games, so I am more inclined towards PRIME (and PRIME Synchronization to prevent tearing) or nvidia-xrun. The OP of the reddit guide above prefers nvidia-xrun and says it gives him the best performance, but it is slightly more difficult to set up and is not yet packaged for Debian.