UEFI Secure Boot
Wed, 7 Aug 2019
My kernel packages for 32- and 64-bit x86 now support UEFI Secure Boot.
I've generated a Machine Owner Key (MOK) for this purpose. People that have machines that support Secure Boot, and that want to use it, can enroll this key on their computer to verify the kernel when booting.
It's possible to enable Secure Boot on a system that already has an existing Linux-libre installation. This is a multi-step process.
First you should make sure that your GNU/Linux distro and your hardware really do support UEFI Secure Boot.
If they do, and you want to use it, you should fetch and install the key with which the kernels are signed:
wget https://jxself.org/linux-libre-mok.cer
Check that it's the right one. The fingerprint is provided
below as both SHA-1 and SHA-256 because SHA-256 is more
secure but the mokutil program and MOK Manager
will show the SHA-1. Providing both here allows for easy
comparison.
openssl x509 -noout -fingerprint -sha1 -inform der
-in linux-libre-mok.cer
EA:6D:07:60:A3:DC:1E:8A:BF:41:F4:4A:F1:FF:D1:2E:C8:63:E5:7B
openssl x509 -noout -fingerprint -sha256 -inform der
-in linux-libre-mok.cer
5A:39:E0:D2:DD:1E:EF:F4:DB:D3:0A:F4:1E:CA:72:7E:B7:E7:FC:1F:5A:4B:88:CC:CE:3B:52:0C:D9:66:76:FF
As long as it matches, enroll the key. Note that enrolling
a key is a multistep process. mokutil is used to
start the process but the change can only be confirmed at
boot time. First:
sudo mokutil --import linux-libre-mok.cer
You will be asked for a temporary password for this enrollment request. Remember this password; MOK Manager will ask you for it later.
Check that it's prepared to be enrolled:
sudo mokutil --list-new
Then restart:
sudo reboot
The MOK Manager screen should appear after your UEFI boot screen but before your GNU/Linux distro boots to confirm that the key should be added. Follow the on-screen instructions to finish enrolling the key.
Once completed you can check that it was enrolled:
sudo mokutil --list-enrolled
Once the key has been enrolled you should also enable validation in the shim bootloader:
sudo mokutil --enable-validation
Once again you will be asked for a temporary password. Make sure to remember it.
Restart again:
sudo reboot
The MOK Manager screen should appear once again. Follow the on-screen instructions to enable validation.
As the last step, make sure that Secure Boot is enabled at the firmware level:
mokutil --sb-state
You should see:
SecureBoot enabled
If not please reboot and modify your UEFI firmware settings to turn on Secure Boot. There are many different user interfaces and I can't cover them all. It may be necessary to refer to the information about the make and model of your computer to finalize Secure Boot.