diff --git a/iso/builder/VERSIONS b/iso/builder/VERSIONS
index b318cda..3f7db11 100644
--- a/iso/builder/VERSIONS
+++ b/iso/builder/VERSIONS
@@ -1,4 +1,4 @@
 ALPINE_VERSION=3.21
 KERNEL_VERSION=6.6
-NVIDIA_DRIVER_VERSION=550.54.15
+NVIDIA_DRIVER_VERSION=590.48.01
 GO_VERSION=1.23.6
diff --git a/iso/builder/build-nvidia-module.sh b/iso/builder/build-nvidia-module.sh
index 509e424..b9b3dc3 100644
--- a/iso/builder/build-nvidia-module.sh
+++ b/iso/builder/build-nvidia-module.sh
@@ -41,13 +41,29 @@ fi
 # Install build dependencies
 apk add --quiet gcc make perl linux-lts-dev wget
 
-# Download official NVIDIA .run installer (proprietary)
+# Download official NVIDIA .run installer (proprietary) with sha256 verification
+BASE_URL="https://download.nvidia.com/XFree86/Linux-x86_64/${NVIDIA_VERSION}"
 RUN_FILE="/var/tmp/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run"
-if [ ! -f "$RUN_FILE" ]; then
+SHA_FILE="/var/tmp/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run.sha256sum"
+
+verify_run() {
+    [ -s "$SHA_FILE" ] || return 1
+    [ -s "$RUN_FILE" ] || return 1
+    cd /var/tmp
+    sha256sum -c "$SHA_FILE" --status 2>/dev/null
+}
+
+if ! verify_run; then
+    rm -f "$RUN_FILE" "$SHA_FILE"
     echo "=== downloading NVIDIA ${NVIDIA_VERSION} installer ==="
-    wget -q --show-progress \
-        -O "$RUN_FILE" \
-        "https://download.nvidia.com/XFree86/Linux-x86_64/${NVIDIA_VERSION}/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run"
+    wget -q -O "$SHA_FILE" "${BASE_URL}/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run.sha256sum"
+    echo "sha256: $(cat "$SHA_FILE")"
+    wget --show-progress -O "$RUN_FILE" "${BASE_URL}/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run"
+    echo "=== verifying sha256 ==="
+    cd /var/tmp && sha256sum -c "$SHA_FILE" || { echo "ERROR: sha256 mismatch"; rm -f "$RUN_FILE"; exit 1; }
+    echo "sha256 OK"
+else
+    echo "=== NVIDIA installer verified from cache ==="
 fi
 
 # Extract installer contents
@@ -57,9 +73,17 @@ EXTRACT_DIR="/var/tmp/nvidia-extract-${NVIDIA_VERSION}"
 rm -rf "$EXTRACT_DIR"
 "$RUN_FILE" --extract-only --target "$EXTRACT_DIR"
 
+# Find kernel source directory (proprietary: kernel/, open: kernel-open/)
+KERNEL_SRC=""
+for d in "$EXTRACT_DIR/kernel" "$EXTRACT_DIR/kernel-modules-sources" "$EXTRACT_DIR/kernel-source"; do
+    [ -f "$d/Makefile" ] && KERNEL_SRC="$d" && break
+done
+[ -n "$KERNEL_SRC" ] || { echo "ERROR: kernel source dir not found in:"; ls "$EXTRACT_DIR/"; exit 1; }
+echo "kernel source: $KERNEL_SRC"
+
 # Build kernel modules from extracted source
 echo "=== building kernel modules ($(nproc) cores) ==="
-cd "$EXTRACT_DIR/kernel"
+cd "$KERNEL_SRC"
 make -j$(nproc) KERNEL_UNAME="$KVER" SYSSRC="$KDIR" modules 2>&1 | tail -5
 
 # Collect outputs