Wed, 7 Aug 2019
My kernel packages for 32- and 64-bit x86 now support UEFI Secure Boot.
I've generated a Machine Owner Key (MOK) for this purpose. People that have machines that support Secure Boot, and that want to use it, can enroll this key on their computer to verify the kernel when booting.
It's possible to enable Secure Boot on a system that already has an existing Linux-libre installation. This is a multi-step process.
First you should make sure that your GNU/Linux distro and your hardware really do support UEFI Secure Boot.
If they do, and you want to use it, you should fetch and install the key with which the kernels are signed:
Check that it's the right one. The fingerprint is provided below
as both SHA-1 and SHA-256 because SHA-256 is more secure but the
mokutil program and MOK Manager will show the SHA-1.
Providing both here allows for easy comparison.
openssl x509 -noout -fingerprint -sha1 -inform der -in linux-libre-mok.cer
openssl x509 -noout -fingerprint -sha256 -inform der -in linux-libre-mok.cer
As long as it matches, enroll the key. Note that
enrolling a key is a multistep process.
mokutil is used
to start the process but the change can only be confirmed at boot
sudo mokutil --import linux-libre-mok.cer
You will be asked for a temporary password for this enrollment request. Remember this password; MOK Manager will ask you for it later.
Check that it's prepared to be enrolled:
sudo mokutil --list-new
The MOK Manager screen should appear after your UEFI boot screen but before your GNU/Linux distro boots to confirm that the key should be added. Follow the on-screen instructions to finish enrolling the key.
Once completed you can check that it was enrolled:
sudo mokutil --list-enrolled
Once the key has been enrolled you should also enable validation in the shim bootloader:
sudo mokutil --enable-validation
Once again you will be asked for a temporary password. Make sure to remember it.
The MOK Manager screen should appear once again. Follow the on-screen instructions to enable validation.
As the last step, make sure that Secure Boot is enabled at the firmware level:
You should see:
If not please reboot and modify your UEFI firmware settings to turn on Secure Boot. There are many different user interfaces and I can't cover them all. It may be necessary to refer to the information about the make and model of your computer to finalize Secure Boot.
Copyright © 2019 Jason Self. See license.shtml for license conditions. Please copy and share.