UEFI Secure Boot

Wed, 7 Aug 2019

My kernel packages for 32- and 64-bit x86 now support UEFI Secure Boot.

I've generated a Machine Owner Key (MOK) for this purpose. People that have machines that support Secure Boot, and that want to use it, can enroll this key on their computer to verify the kernel when booting.

It's possible to enable Secure Boot on a system that already has an existing Linux-libre installation. This is a multi-step process.

First you should make sure that your GNU/Linux distro and your hardware really do support UEFI Secure Boot.

If they do, and you want to use it, you should fetch and install the key with which the kernels are signed:

wget https://jxself.org/linux-libre-mok.cer

Check that it's the right one. The fingerprint is provided below as both SHA-1 and SHA-256 because SHA-256 is more secure but the mokutil program and MOK Manager will show the SHA-1. Providing both here allows for easy comparison.

openssl x509 -noout -fingerprint -sha1 -inform der -in linux-libre-mok.cer
openssl x509 -noout -fingerprint -sha256 -inform der -in linux-libre-mok.cer

As long as it matches, enroll the key. Note that enrolling a key is a multistep process. mokutil is used to start the process but the change can only be confirmed at boot time. First:

sudo mokutil --import linux-libre-mok.cer

You will be asked for a temporary password for this enrollment request. Remember this password; MOK Manager will ask you for it later.

Check that it's prepared to be enrolled:

sudo mokutil --list-new

Then restart:

sudo reboot

The MOK Manager screen should appear after your UEFI boot screen but before your GNU/Linux distro boots to confirm that the key should be added. Follow the on-screen instructions to finish enrolling the key.

Once completed you can check that it was enrolled:

sudo mokutil --list-enrolled

Once the key has been enrolled you should also enable validation in the shim bootloader:

sudo mokutil --enable-validation

Once again you will be asked for a temporary password. Make sure to remember it.

Restart again:

sudo reboot

The MOK Manager screen should appear once again. Follow the on-screen instructions to enable validation.

As the last step, make sure that Secure Boot is enabled at the firmware level:

mokutil --sb-state

You should see:

SecureBoot enabled

If not please reboot and modify your UEFI firmware settings to turn on Secure Boot. There are many different user interfaces and I can't cover them all. It may be necessary to refer to the information about the make and model of your computer to finalize Secure Boot.




How To


RSS Feed

About Me

Contact Me

This project enforces the 

If you appreciate any of the things I am doing you can make a donation.

Copyright © 2019 Jason Self. See license.shtml for license conditions. Please copy and share.