Enabling secure boot on Surface Pro 1 and getting Fedora 40 workstation to boot

Hey there, I just installed Fedora 40 workstation on my old Surface Pro 1 tablet to try it out over the winter. However, I am having issues with secure boot.

I had to disable secure boot to install Fedora, and once everything was installed I went back into the Surface BIOS and enabled secure boot. However, if I try to boot with it enabled it says the signature is invalid and will not boot.

I am guessing the default Fedora signature is incompatible with the Surface Pro 1, but I didn’t have much luck finding anything on the best way to rectify this issue. I did find This info on secure boot from linux-surface but figured I should ask here first!

Since I have the Surface Pro 1, I do not have any option to allow third party anything. Just enable or disable.

Reboot and disable Secure Boot if it’s currently enabled.
Boot into Fedora.
Install the required packages:

sudo dnf install shim mokutil

Check if Shim is installed correctly:

sudo mokutil --sb-state

This should show that Secure Boot is disabled.
Enroll a new key: Generate a new Machine Owner Key (MOK) or use the existing key provided by Fedora to sign the bootloader.

sudo mokutil --import <your_key_file.der>

You will be prompted to set a password for enrolling this key.

Reboot to Enroll Key:

On reboot, you will be prompted by the MOK Manager to enroll the key you just registered. Select “Enroll key” and follow the prompts using the password you set.
After enrolling the key, you should be able to enable Secure Boot and boot Fedora without errors.

Else use
Something that comes with surface patched kernel

Or distros that provide surface patched kernel

Thanks for the info! I’ll give it a whirl.

1 Like