The kernels for the amd64 and i386 architectures support UEFI Secure Boot. If your computer doesn't support this or if you don't want to use it you can skip all of this and go back to the main page.
If you do want to use these kernels with UEFI Secure Boot enabled you should fetch and install the key with which the kernels are signed:
Confirm that it's the right one. The fingerprint is
provided as both SHA-1 and SHA-256 because SHA-256 is more
secure but the
mokutil program and MOK Manager
will show the SHA-1 hash. Providing both here allows for
openssl x509 -noout -fingerprint -sha1 -inform der -in linux-libre-mok.cer
openssl x509 -noout -fingerprint -sha256 -inform der -in linux-libre-mok.cer
As long as it matches, enroll the key. Note that
enrolling a key is a multistep process.
mokutil is used to start the process but the
change can only be confirmed at boot time. First:
sudo mokutil --import linux-libre-mok.cer
You will be asked for a temporary password for this enrollment request. Remember this password; MOK Manager will ask you for it later.
Confirm that it's prepared to be enrolled:
sudo mokutil --list-new
The MOK Manager screen should appear after your UEFI boot screen but before your GNU/Linux distro boots to confirm that the key should be added. Follow the on-screen instructions to finish enrolling the key.
Once completed you can confirm that it was enrolled:
sudo mokutil --list-enrolled
You can now go back to the main page to continue.
Copyright © 2019, 2020 Jason Self. See license.shtml for license conditions. Please copy and share.