EFI Secure Boot

Enable, disable … ? I use modern devices with BIOS on flash memory. Experience with Lenovo ThinkPad, Clevo laptop or ASRock motherboard shows standard BIOS dialog allows to erase EFI secure boot signature using standard dialog instructions so with Linux no problem and you can push Red Hat EFI secure boot signature into BIOS, same with Suse. The Lenovo X270 ThinkPad was delivered with Windows 8 Pro edition compatible with Windows 10 as beta tester, now with only Linux, secure boot enabled but no EFI signature so just boots. You can roll back to initial Windows 8 EFI secure boot signature as a permanent option. Any thoughts … ?

Leave the secure boot alone in bios. Fedora already has a signed kernel and is automatically enabled to boot with secure boot enabled.

The only time it interferes with fedora is when the user tries to use certain devices that have their own compiled drivers that do not come directly from the fedora repos. Examples are nvidia and VirtualBox. In that case the system will still boot but will not load the unsigned modules.

When using those devices or software then either disable secure boot without altering the keys used (unsigned modules would load), or alternatively create your own keys and enroll that key into the bios so the modules can be self-signed and will load with secure boot enabled.

For software built from akmod packages the user can install akmods then follow the instructions at /usr/share/doc/akmods/README.secureboot to generate the key and import it into bios. Following that each module built with akmods will be automatically signed for use.