F41 Secure Boot with only your own keys

In Fedora 41 the efitools package was removed because it hadn’t been maintained and no longer built successfully. Unfortunately it seems there’s no information anywhere I can find on how to do secure boot without this tool.

I’m aware there’s a semi-secure method of using the pre-signed Fedora shim that relies on using the pre-enrolled Microsoft keys to verify the Fedora shim as one of the first boot steps, but like many users that’s not sufficient for my needs. A workflow for the standard replacing of all keys in the EFI is what I’m looking for.

Does anyone know any alternative tools that can do this, or some alternative way? I’d also like to avoid installing efitools from a copr repo or building it from scratch myself if i can. I’m already aware of how to do that if it comes down to it, but I’m looking for off-the-shelf alternatives to this standard workflow instead.

1 Like
1 Like

That explains how to sign a kernel and kernel modules, something that has plenty of tools available, but doesn’t have anything to do with backing up existing EFI variables, clearing all existing enrolled keys, and enrolling my own key in the EFI for secure boot.
The efitools packages is used exclusively by everyone I can find for virtually every setup step of that backup, wipe, and enroll process.

You can do the custom kernel signing key even with the Fedora Shim, it just adds the custom kernel signing keys so the Shim will find it and use it. In my case I’m looking for the tools and process for the keys 2 steps before that.


I should have mentioned that I did see there’s an sbctl tool that supposedly is expected to eventually be a replacment for efitools (I think?), but it’s also not available for Fedora 41 and it isn’t clear if it can do the low level backup of all EFI variables, or enrolling a new root key.

2 Likes

Well sbctl is pre-1.0 which is likely the reason why it is not in Fedora.

You can just use their binaries, they are even signed, place them in /usr/local/bin/ and use it from there.

I’ll certainly give it a shot, but I was hoping someone knew of some “blessed” workflow for doing this. Last I heard it was considered a standard use case for Fedora, just not one a ton of people use.

1 Like

You can export the existing certificates with mokutil

 mokutil --export --db
 mokutil --export --kek
 mokutil --export --pk

You may in some cases also be able to do that with from the UEFI setup program.

1 Like

The mokutil is for operating on the database used by the shim according to it’s man page. The shim is only reached after it’s already been verified using keys in the actual hardware flash, which is what I’m asking about.

Am I mistaken that the mokutil only accesses and exports/imports from the shim’s pseudo-“EFI flash” and not from the real one?

The secure boot process is (usually):

  1. Hardware validates shim using keys from EFI Flash
  2. Boots shim
  3. Shim validates bootloader using inherited EFI Flash keys + added mok keys
  4. Boots bootloader
  5. Bootloader validates kernel using inherited EFI Flash keys + mok keys + added embedded keys
  6. Boots kernel initramfs
  7. Kernel validates drivers using inherited EFI Flash keys + mok keys + bootloader embedded keys + added kernel embedded keys

When you setup secure boot with your own keys, you can commonly set it up for the drivers, the kernel + drivers, or for everything. When setting it up for just the drivers, you usually either embed your key in the kernel or add it to the mok. For kernel + drivers, you add it to the mok. For everything, you’re trying to get rid of the Microsoft and Motherboard manufacturer’s keys in the EFI Flash and include only your own so that even the Fedora shim has to be signed by your custom key.

Try it out, and you can export also the pk, kek and db key stores.