[SOLVED] NVIDIA 580.x + Kernel 7.0 incompatibility on Trixie

C

crazywolf13

Member
Oct 15, 2023
90
11
13
Has anyone got any idea for my seeminly hopeless situation with nvidia drivers on the proxmox host?

Hardware: GTX 1060 (Pascal) + GTX 180 Ti (Kepler)
PVE version: 9.1.2


The problem: Nvidia Driver 580.x is the last series supporting Pascal/Kepler hardware.
It builds fine on kernel 6.17 but since proxmox updated to kernel 7.0 it fails due to VMA locking API changes (VMA_LOCK_OFFSET removed, __is_vma_write_locked signature changed in mmap_lock.h).


The repositorys
  • The debian12 CUDA repo has 580.x but is signed with a SHA1-bound key, which trixie's sqv rejects since Feb 2026
  • The debian13 CUDA repo has working signing but no 580.x, only newer driver series that dropped Pascal/Kepler support
  • The debian 13 repo has only driver 550 which is too far outdated and I had issues with it

What I think to do:
Pin the kernel to 6.17.13-7-pve and held kernel 7.0 packages, but due to exploits, I don't really wanna do that?
Also what would be the suggested way to do this?

  1. Is there a patched 580.x build anywhere that supports kernel 7.0's new VMA API?
  2. Is there a plan for the debian13 CUDA repo to carry 580.x for legacy hardware?
  3. Any other suggested approach for Pascal/Kepler on PVE trixie long-term?
 
Last edited:
Try this parameter in the nvidia apt repository configuration for SHA1 problem:
Code: 
Allow-Insecure: yes
 
Last edited:
  • Like
Reactions: crazywolf13
@czechsys

Thanks, I tried with that parameter and got the following error:

Code: 
Err:5 https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64  InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on EB693B3035CD5710E231E123A4B469963BF863CC is not bound:            No binding signature at time 2026-05-08T15:21:05Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Hit:7 http://download.proxmox.com/debian/pve bookworm InRelease
Warning: OpenPGP signature verification failed: https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64  InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on EB693B3035CD5710E231E123A4B469963BF863CC is not bound:            No binding signature at time 2026-05-08T15:21:05Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Error: The repository 'https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64  InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.


after also adding trusted: yes I got only a warning:

Code: 
Warning: OpenPGP signature verification failed: https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64  InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on EB693B3035CD5710E231E123A4B469963BF863CC is not bound:            No binding signature at time 2026-05-08T15:21:05Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

After this I was able to update just fine, thanks a lot!
 
I ran into a similar issue with the Debian-packaged 550 driver rather than 580. I put together my patch approach here in case it helps anyone else:
https://github.com/egeekial/nvidia-550xx-dkms-proxmox

It’s specifically for `nvidia-current` 550.163.01 on the Proxmox 7.0 kernel, so it won’t directly fix 580.x. The script patches the DKMS source, rebuilds it, runs `dpkg --configure -a`, and updates initramfs.

Basically:

Code: 
git clone https://github.com/egeekial/nvidia-550xx-dkms-proxmox.git
cd nvidia-550xx-dkms-proxmox
bash apply-patches-proxmox.sh

Not a general NVIDIA fix, but it got the Debian 550 package building again for me. I just upgraded to the latest Proxmox kernel (7.0.2-3-pve), and DKMS successfully rebuilt the driver automatically.
 
  • Like
Reactions: crazywolf13
Thanks!

But driver 550.x which is available via debian repo is too far outdated for me.

But maybe some parts of the patches are helpful, I'll take a look, appreciate the link!
 
  • Like
Reactions: egeekial
crazywolf13 said:
Has anyone got any idea for my seeminly hopeless situation with nvidia drivers on the proxmox host?

Hardware: GTX 1060 (Pascal) + GTX 180 Ti (Kepler)
PVE version: 9.1.2


The problem: Nvidia Driver 580.x is the last series supporting Pascal/Kepler hardware.
It builds fine on kernel 6.17 but since proxmox updated to kernel 7.0 it fails due to VMA locking API changes (VMA_LOCK_OFFSET removed, __is_vma_write_locked signature changed in mmap_lock.h).


The repositorys
  • The debian12 CUDA repo has 580.x but is signed with a SHA1-bound key, which trixie's sqv rejects since Feb 2026
  • The debian13 CUDA repo has working signing but no 580.x, only newer driver series that dropped Pascal/Kepler support
  • The debian 13 repo has only driver 550 which is too far outdated and I had issues with it

What I think to do:
Pin the kernel to 6.17.13-7-pve and held kernel 7.0 packages, but due to exploits, I don't really wanna do that?
Also what would be the suggested way to do this?

  1. Is there a patched 580.x build anywhere that supports kernel 7.0's new VMA API?
  2. Is there a plan for the debian13 CUDA repo to carry 580.x for legacy hardware?
  3. Any other suggested approach for Pascal/Kepler on PVE trixie long-term?
Click to expand...
6.17 is patched for that recent exploit, get the -8 version from repo.
 
Last edited:
  • Like
Reactions: crazywolf13
You must log in or register to reply here.
Top Bottom
Back