Secure Boot for Linux-libre

The kernels for the amd64 and i386 architectures support UEFI Secure Boot. If your computer doesn't support this or if you don't want to use it you can skip all of this and go back to the main page.

If you do want to use these kernels with UEFI Secure Boot enabled you should fetch and install the key with which the kernels are signed:

wget https://jxself.org/linux-libre-mok.cer

Confirm that it's the right one. The fingerprint is provided as both SHA-1 and SHA-256 because SHA-256 is more secure but the mokutil program and MOK Manager will show the SHA-1 hash. Providing both here allows for easy comparison.

openssl x509 -noout -fingerprint -sha1 -inform der -in linux-libre-mok.cer
openssl x509 -noout -fingerprint -sha256 -inform der -in linux-libre-mok.cer

As long as it matches, enroll the key. Note that enrolling a key is a multistep process. mokutil is used to start the process but the change can only be confirmed at boot time. First:

sudo mokutil --import linux-libre-mok.cer

You will be asked for a temporary password for this enrollment request. Remember this password; MOK Manager will ask you for it later.

Confirm that it's prepared to be enrolled:

sudo mokutil --list-new

Then restart:

sudo reboot

The MOK Manager screen should appear after your UEFI boot screen but before your GNU/Linux distro boots to confirm that the key should be added. Follow the on-screen instructions to finish enrolling the key.

Once completed you can confirm that it was enrolled:

sudo mokutil --list-enrolled

You can now go back to the main page to continue.




How To


RSS Feed

About Me

Contact Me

This project enforces the 

If you appreciate any of the things I am doing you can make a donation.

Copyright © 2019, 2020 Jason Self. See license.shtml for license conditions. Please copy and share.