Signing the NVIDIA Kernel Module
Some kernels may require that kernel modules be cryptographically signed by a key trusted by the kernel in order to be loaded. In particular, many distributions require modules to be signed when loaded into kernels running on UEFI systems with Secure Boot enabled. nvidia-installer includes support for signing the kernel module before installation, to ensure that it can be loaded on such systems. Note that not all UEFI systems have Secure Boot enabled, and not all kernels running on UEFI Secure Boot systems will require signed kernel modules, so if you are uncertain about whether your system requires signed kernel modules, you may try installing the driver without signing the kernel module, to see if the unsigned kernel module can be loaded.
In order to sign the kernel module, you will need a private signing key, and an X.509 certificate for the corresponding public key. The X.509 certificate must be trusted by the kernel before the module can be loaded: we recommend ensuring that the signing key be trusted before beginning the driver installation, so that the newly signed module can be used immediately. If you do not already have a key pair suitable for module signing use, you must generate one. Please consult your distribution's documentation for details on the types of keys suitable for module signing, and how to generate them. nvidia-installer can generate a key pair for you at install time, but it is preferable to have a key pair already generated and trusted by the kernel before installation begins.
Once you have a key pair ready, you can use that key pair in nvidia-installer by passing the keys to the installer on the command line with the --module-signing-secret-key and --module-signing-public-key options. As an example, it is possible to install the driver with a signed kernel module in silent mode (i.e., non-interactively) by running:
sh ./NVIDIA-Linux-aarch64-520.56.06.run -s \
--module-signing-secret-key=/path/to/signing.key \
--module-signing-public-key=/path/to/signing.x509