FDE and Custom Keys Secure Boot Questions

Hello,

I recently purchased a brand new Framework Laptop 13 with the Intel Core Ultra Series 1 (https://frame.work). I haven’t even turned it on yet. I know that I want to use Fedora as the operating system, but I would also like to increase its security and usability in the following ways:

  1. Full Disk Encryption (with single password sign-in by bypassing additional passphrase prompt using the TPM2 Method)
  2. UEFI secure boot with a custom key (including removing the Microsoft keys)
  3. Add Snapshot and Rollback Support

I located these two guides, which in theory together should allow me to do what I am looking for:

https://sysguides.com/install-fedora-with-luks-fde-snapshot-rollback-support#112-using-tpm2-method

Questions:

  1. Should I set up the secure boot with custom keys before or after setting up FDE?
  2. Is there anything I need to check on / know about before I would remove the Microsoft keys to make sure I don’t brick my computer? Is there any functionality that I may lose by removing them? (I will not be using Microsoft software on the computer)
  3. Is there a benefit or disadvantage to GNOME vs KDE desktop environment? (I have read plenty that describes the GNOME desktop more simple and KDE more customizable. I really just don’t know what this means from a practical standpoint.)
    A. Is there any features or security concerns I need to know related to either of these?
    B. If I went with GNOME, is there any changes I need to make to the above UEFI secure boot guide, as that is written related to KDE.
  4. Is there any changes I need to make to the steps from the above guides to make this work?
  5. Is there a way to backup the bios before I make any changes, just in case. Is that even a thing?

My background:
I have basically no Linux experience. I have always been the family / resident “tech guy” but mostly I just know how to web search, navigate computers, and trouble shoot with trial and error. I have very very basic coding knowledge (mostly searching for pre-typed code for what I need and dropping it in a website). I currently don’t have a working computer to test anything on a Linux VM. I am not convinced it would help much, as the bios and hardware will be different on the Framework anyways.

I did look at other guides and posts but can not seem to find anything that addresses what I have questions on.
I’m sorry if any of these are stupid noob questions, but any help would be greatly appreciated.

Firstly, welcome to Fedora!

I have basically no Linux experience.

While all of what you’re suggesting can be done, based on that statement I would recommend not straying too far from the default and tested setups until you have built up some knowledge and experience. If this is a spare laptop, go for it! If it’s going to be your main machine then I’d suggest sticking to a more default setup for now. You could always come back and try some of this out later (after backing up your data!) once you’re confident about how to recover if things go wrong.

To try and answer your questions though:

  1. Should I set up the secure boot with custom keys before or after setting up FDE?

I would only set up custom keys if you actually need to, and in that case I’d set them up after installation (you can configure disk encryption during setup for everything apart from /boot).

  1. Is there anything I need to check on / know about before I would remove the Microsoft keys to make sure I don’t brick my computer? Is there any functionality that I may lose by removing them? (I will not be using Microsoft software on the computer)

I would strongly recommend that you don’t remove the existing secure boot keys from your machine. With the default keys installed then installation media and any built in diagnostics tools will continue to work as intended while without you could easily end up locking yourself out of your system. Bootloader and firmware updates would be the highest risks there, as far as I can see.

Assuming the laptop allows you to disable secure boot (it should!) then you can always do that to regain access, but if you follow the TPM guide for disk encryption then you must make sure you have a valid password to unlock the disk as well (as disabling secure boot would stop the TPM providing its key).

  1. Is there a benefit or disadvantage to GNOME vs KDE desktop environment? (I have read plenty that describes the GNOME desktop more simple and KDE more customizable. I really just don’t know what this means from a practical standpoint.)
    A. Is there any features or security concerns I need to know related to either of these?
    B. If I went with GNOME, is there any changes I need to make to the above UEFI secure boot guide, as that is written related to KDE.

This is very much a matter of personal preference, but that’s a fair summary of the two. It’s been a long time since I tried it, but I don’t think there is anything (apart from available disk space!) to stop you installing both and switching between them when you log in if you want to try both. There might be some small differences between e.g. KDE installed onto a system that started with GNOME vs a system that used the KDE installer, but nothing that should matter for trying them out.

B - There’s nothing obvious that would need to change, but I’m not going to vouch for instructions I’ve not tested I’m afraid.

  1. Is there any changes I need to make to the steps from the above guides to make this work?

As above - I’m not in a position to review the contents of those guides completely to verify them, so I can’t really comment here.

  1. Is there a way to backup the bios before I make any changes, just in case. Is that even a thing?

Some BIOSes do offer that option, you’ll have to have a look around to see what the case is for that machine.
Every machine I’ve worked with has at least had a “reset to defaults” option, and I’ve seen that for resetting the secure boot databases as well - but that’s on a smaller number of machines.

Whatever you decide, good luck and I hope you enjoy using Fedora once it’s set up.

I would too suggest to start the easy way, since the link you provided requires lots of tweaks, some of them possibly not thoroughly tested. So I would rather:

  • Choose the preferred Fedora edition/spin, which can be easily be done by running live sessions of the installable ISOs.[1]. Fedora Workstation edition is Fedora’s main desktop offering, featuring GNOME as a desktop environment, but the Fedora KDE Plasma Desktop spin also receives lots of attention both from maintainers, as well as the users active here in the forums.
  • Start the installation of the chosen edition/spin, going with the proposed LUKS2 disk encryption (not enabled by default but available as an option during the installation process).
  • Since the / and /home partitions are set up by default as btrfs subvolumes, you can set up snapshots as desired. You can find here and here some nice Fedora Magazine articles regarding btrfs and snapshot usage. Or you can install BTRFS Assistant (btrfs-assistant) for a GUI management tool.
  • Enjoy, and come back here to Fedora Discussion if you encounter issues.

  1. There are several reports advising against having both GNOME and KDE DEs installed on the same system and used by the same user. ↩︎

1 Like

Going through the linked webpage, It has a lot of background information of how things work. But, some commands shown are provided in the package efitools and that package will disappear in Fedora 41 due to compiling error.

So, despite it being dated 2024, it is close to be obsolete information. The shim solution is tried and tested for many years, and is the recommended way to set up Fedora with secure boot.

2 Likes

Thanks for the recommendation and clarification. I wasn’t aware of that about efitools. Can you clarify what you mean about the “shim solution”?

Thank you! With the “proposed LUKS2 disk encryption”, is that the method that results in an unencrypted boot partition?

Thank you for such a detailed response!
Do you know of a good way to also encrypt the /boot?
Clarification, when you say “if you follow the TPM guide for disk encryption then you must make sure you have a valid password to unlock the disk as well” are you just saying to make sure to save the passwords I used through the TPM and FDE process or is this something additional?

The “shim solution” is what Fedora and some other distributions use out of the box.

The UEFI firmware first loads /boot/efi/EFI/fedora/shimx64.efi. This efi program is signed by the Microsoft key which most systems have stored in the “db” keystore. “shimx64.efi” implements an extra keystore, namely the “mok”, a keystore where you can enroll additional keys. Next, /boot/efi/EFI/fedora/grubx64.efi is loaded and run. grubx64.efi is signed by a Fedora key which is stored in the shim, and grub can then load the linux kernel, which is also stored by the shim.

Extra kernel modules such as nvidia modules or virtualbox modules will need to be signed by a local key that you can generate and enroll in the mok store.