Help: Installing Fedora 34 with secureboot on new Thinkpad


I just got my new Thinkpad X1 Carbon Gen 9 :grin: and can’t boot with secure boot enabled :sleepy: (I ordered the laptop without OS, since Fedora wasn’t available yet).

I can boot in the Live-session with secure boot turned off and also in secure boot setup mode.

When secure boot is enabled an I select the USB-Stick with Fedora 34 to boot, the computer restarts after a short black screen.

I guess it’s a problem with the secure boot keys.

In the UEFI-BIOS Menu(, under “Security”, “Secure Boot”, “Key Management”, I have a lot of options to enroll Keys (PK, KEK, DB, DBX).


  1. Is there a simple way to boot and install Fedora 34 with secure boot I don’t get?
    If not:
  2. Where can I find the required Keys (I found this: but I’m not sure a Guide / Key for Fedora 18 is still up to date and don’t want to mess something up).
  3. How should I load the required Keys?

Many thanks in advance for any help!


Fedora 34 has a blocker bug 1938630 – include new bootloaders on Fedora 34 install media so UEFI Secure Boot enabled systems can boot from them which is Secure Boot related.


Oh, I see… I guess that should explain the problem, as the laptop came just today with the latest firmware (1.23) witch is dated 31.03.2021, and the db/dbx should exclude the 2018 signature.

Thanks a lot for your input!


It’s confirmed: it works with the test image with the new shim-15.4.3 (

So the problem will be gone soon.


Thanks for updating back!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.