In Fedora 41 the efitools package was removed because it hadn’t been maintained and no longer built successfully. Unfortunately it seems there’s no information anywhere I can find on how to do secure boot without this tool.
I’m aware there’s a semi-secure method of using the pre-signed Fedora shim that relies on using the pre-enrolled Microsoft keys to verify the Fedora shim as one of the first boot steps, but like many users that’s not sufficient for my needs. A workflow for the standard replacing of all keys in the EFI is what I’m looking for.
Does anyone know any alternative tools that can do this, or some alternative way? I’d also like to avoid installing efitools from a copr repo or building it from scratch myself if i can. I’m already aware of how to do that if it comes down to it, but I’m looking for off-the-shelf alternatives to this standard workflow instead.
That explains how to sign a kernel and kernel modules, something that has plenty of tools available, but doesn’t have anything to do with backing up existing EFI variables, clearing all existing enrolled keys, and enrolling my own key in the EFI for secure boot.
The efitools packages is used exclusively by everyone I can find for virtually every setup step of that backup, wipe, and enroll process.
You can do the custom kernel signing key even with the Fedora Shim, it just adds the custom kernel signing keys so the Shim will find it and use it. In my case I’m looking for the tools and process for the keys 2 steps before that.
I should have mentioned that I did see there’s an sbctl tool that supposedly is expected to eventually be a replacment for efitools (I think?), but it’s also not available for Fedora 41 and it isn’t clear if it can do the low level backup of all EFI variables, or enrolling a new root key.
I’ll certainly give it a shot, but I was hoping someone knew of some “blessed” workflow for doing this. Last I heard it was considered a standard use case for Fedora, just not one a ton of people use.
The mokutil is for operating on the database used by the shim according to it’s man page. The shim is only reached after it’s already been verified using keys in the actual hardware flash, which is what I’m asking about.
Am I mistaken that the mokutil only accesses and exports/imports from the shim’s pseudo-“EFI flash” and not from the real one?
When you setup secure boot with your own keys, you can commonly set it up for the drivers, the kernel + drivers, or for everything. When setting it up for just the drivers, you usually either embed your key in the kernel or add it to the mok. For kernel + drivers, you add it to the mok. For everything, you’re trying to get rid of the Microsoft and Motherboard manufacturer’s keys in the EFI Flash and include only your own so that even the Fedora shim has to be signed by your custom key.