How do I install Secureblue on Fedora Silverblue?

Ask Fedora
,
1

How to install secureblue on fedora silverblue and what are its benefits

1 Like
2
1 Like
3

i got an error when i used the first command to upgrade to secureblue .Below is the error

rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/IMAGE_NAME:latest
Pulling manifest: ostree-unverified-registry:ghcr.io/secureblue/IMAGE_NAME:latest
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: invalid reference format: repository name must be lowercase

4

Replace IMAGE_NAME with the full name of your preferred image from the list below.

you didint replace the base image name as it stated and there is link to all base image names to replace IMAGE_NAME

1 Like
5

thank you. now it tells that fedora secureblue is installed.
it popped up a windows where i clicked next .
now i am in the terminal where the output looks like this

Welcome to secureblue!
Your image is: silverblue-main-hardened:latest

Commands:
| `ujust`  | List all available commands |
| `ujust toggle-user-motd` | Toggle this banner on/off |

~~~ NOTICE: Subscribe to secureblue release notifications: https://github.com/secureblue/secureblue/blob/live/FAQ.md#how-do-i-get-notified-of-secureblue-changes ~~~

To report an issue: https://github.com/secureblue/secureblue/issues
FAQ: https://github.com/secureblue/secureblue/blob/live/FAQ.md
Donate: https://github.com/secureblue/secureblue/blob/live/DONATE.md
Discord: https://discord.gg/qMTv5cKfbF
saleeshsuresheyyani@fedora:~$ lspci | grep -i nvidia
saleeshsuresheyyani@fedora:~$ ujust enroll-secure-boot-key
echo 'Enter password "universalblue" if prompted after your user password.'
Enter password "universalblue" if prompted after your user password.
sudo mokutil --timeout -1
[sudo] password for saleeshsuresheyyani: 
sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
input password: 
input password again: 
echo 'When you reboot your computer, follow the instructions to start MOK util'
When you reboot your computer, follow the instructions to start MOK util
echo 'by pressing a key, then enroll the secure boot key and enter "universalblue" as the password'
by pressing a key, then enroll the secure boot key and enter "universalblue" as the password
saleeshsuresheyyani@fedora:~$ 
saleeshsuresheyyani@fedora:~$
6

should i simply reboot

7

yes it says here reboot and enroll MOK and the password is universalblue for enrollment

8

i missed it twice . the second time it said password does not match. i am still trying

11

I am not sure if the mok has been activated or not
below is the output

Welcome to secureblue!
Your image is: silverblue-main-hardened:latest

Commands:
| `ujust`  | List all available commands |
| `ujust toggle-user-motd` | Toggle this banner on/off |

~~~ NOTICE: Subscribe to secureblue release notifications: https://github.com/secureblue/secureblue/blob/live/FAQ.md#how-do-i-get-notified-of-secureblue-changes ~~~

To report an issue: https://github.com/secureblue/secureblue/issues
FAQ: https://github.com/secureblue/secureblue/blob/live/FAQ.md
Donate: https://github.com/secureblue/secureblue/blob/live/DONATE.md
Discord: https://discord.gg/qMTv5cKfbF
saleeshsuresheyyani@fedora:~$ sudo mokutil --list-new
[sudo] password for saleeshsuresheyyani: 
saleeshsuresheyyani@fedora:~$ sudo mokutil --list-new
[sudo] password for saleeshsuresheyyani: 
Sorry, try again.
[sudo] password for saleeshsuresheyyani: 
saleeshsuresheyyani@fedora:~$ ujust enroll-secure-boot-key
echo 'Enter password "universalblue" if prompted after your user password.'
Enter password "universalblue" if prompted after your user password.
sudo mokutil --timeout -1
sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
SKIP: /etc/pki/akmods/certs/akmods-ublue.der is already enrolled
echo 'When you reboot your computer, follow the instructions to start MOK util'
When you reboot your computer, follow the instructions to start MOK util
echo 'by pressing a key, then enroll the secure boot key and enter "universalblue" as the password'
by pressing a key, then enroll the secure boot key and enter "universalblue" as the password
saleeshsuresheyyani@fedora:~$ ujust set-kargs-hardening
Do you need support for 32-bit processes/syscalls? (This is mostly used by legacy software, with some exceptions, such as Steam) [y/N]: y
Keeping 32-bit support.
Would you like to set additional (unstable) hardening kargs? (Warning: Setting these kargs may lead to boot issues on some hardware.) [y/N]: n
Not setting unstable hardening kargs.
Applying boot parameters...
Inactive requests:
  virtualbox-guest-additions (already provided by virtualbox-guest-additions-7.1.4-1.fc40.x86_64)
Checking out tree b3ba152... done
Resolving dependencies... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
Freed: 131.0 MB (pkgcache branches: 0)
Removed:
  SDL2_image-2.8.2-4.fc40.x86_64
  adwaita-gtk2-theme-3.28-19.fc40.x86_64
  blueman-nautilus-1:2.4.3-1.fc40.noarch
  blueman-nemo-1:2.4.3-1.fc40.noarch
  caja-schemas-1.28.0-1.fc40.x86_64
  capstone-5.0.1-3.fc40.x86_64
  caribou-gtk2-module-0.4.21-38.fc40.x86_64
  cinnamon-calendar-server-6.2.9-1.fc40.x86_64
  cinnamon-control-center-6.2.0-1.fc40.x86_64
  cinnamon-settings-daemon-6.2.0-1.fc40.x86_64
  daxctl-libs-80-1.fc40.x86_64
  device-mapper-multipath-libs-0.9.7-7.fc40.x86_64
  edk2-ovmf-20240813-2.fc40.noarch
  exif-0.6.22-9.fc40.x86_64
  folder-color-switcher-1.6.3-1.fc40.noarch
  folder-color-switcher-nemo-1.6.3-1.fc40.noarch
  fortune-mod-3.20.0-4.fc40.x86_64
  freeipmi-1.6.14-2.fc40.x86_64
  gnome-calendar-46.1-1.fc40.x86_64
  gnome-icon-theme-3.12.0-22.fc40.noarch
  gnome-online-accounts-gtk-3.50.3-1.fc40.x86_64
  gtk-layer-shell-0.8.2-3.fc40.x86_64
  gtk2-2.24.33-18.fc40.x86_64
  hddtemp-0.3-0.56.beta15.fc40.x86_64
  ibus-gtk2-1.5.30-6.fc40.x86_64
  inxi-3.3.36-1.fc40.noarch
  ipmitool-1.8.19-7.fc40.x86_64
  ipxe-roms-qemu-20240119-1.gitde8a0821.fc40.noarch
  libXpresent-1.0.0-21.fc40.x86_64
  libXxf86dga-1.1.6-3.fc40.x86_64
  libblkio-1.5.0-1.fc40.x86_64
  libcanberra-gtk2-0.30-35.fc40.x86_64
  libfdt-1.7.0-7.fc40.x86_64
  libgit2-1.7.2-4.fc40.x86_64
  libmateweather-1.28.0-1.fc40.x86_64
  libmateweather-data-1.28.0-1.fc40.noarch
  libnfs-5.0.3-1.fc40.x86_64
  libpmem-2.0.1-3.fc40.x86_64
  libretls-3.8.1-3.fc40.x86_64
  libuser-0.64-8.fc40.x86_64
  libvirt-daemon-kvm-10.1.0-4.fc40.x86_64
  libxdp-1.4.2-1.fc40.x86_64
  lm_sensors-3.6.0-18.fc40.x86_64
  mate-desktop-libs-1.28.2-1.fc40.x86_64
  mate-menus-1.28.0-1.fc40.x86_64
  mate-menus-libs-1.28.0-1.fc40.x86_64
  mate-panel-1.28.2-1.fc40.x86_64
  mate-panel-libs-1.28.2-1.fc40.x86_64
  metacity-3.49.1-3.fc40.x86_64
  mint-themes-1:2.1.8-1.fc40.noarch
  mint-x-icons-1.7.1-1.fc40.noarch
  mint-y-icons-1.7.7-1.fc40.noarch
  mint-y-theme-1:2.1.8-1.fc40.noarch
  nautilus-python-4.0.1-1.fc40.x86_64
  nbdkit-1.38.5-1.fc40.x86_64
  nbdkit-basic-filters-1.38.5-1.fc40.x86_64
  nbdkit-basic-plugins-1.38.5-1.fc40.x86_64
  nbdkit-curl-plugin-1.38.5-1.fc40.x86_64
  nbdkit-selinux-1.38.5-1.fc40.noarch
  nbdkit-server-1.38.5-1.fc40.x86_64
  nbdkit-ssh-plugin-1.38.5-1.fc40.x86_64
  ndctl-libs-80-1.fc40.x86_64
  nemo-python-6.2.0-1.fc40.x86_64
  nemo-search-helpers-6.2.8-1.fc40.x86_64
  netcat-1.226-3.fc40.x86_64
  odt2txt-0.5-13.fc40.x86_64
  paper-icon-theme-1.5.0-16.20200312gitaa3e8af.fc40.noarch
  perl-Clone-0.46-6.fc40.x86_64
  perl-Compress-Raw-Bzip2-2.210-1.fc40.x86_64
  perl-Compress-Raw-Zlib-2.209-1.fc40.x86_64
  perl-Cpanel-JSON-XS-4.37-6.fc40.x86_64
  perl-Data-Dump-1.25-10.fc40.noarch
  perl-Digest-HMAC-1.04-10.fc40.noarch
  perl-Digest-SHA-1:6.04-503.fc40.x86_64
  perl-Encode-Locale-1.05-29.fc40.noarch
  perl-File-Copy-2.41-506.fc40.noarch
  perl-File-Find-1.43-506.fc40.noarch
  perl-File-Listing-6.16-3.fc40.noarch
  perl-File-Slurper-0.014-5.fc40.noarch
  perl-HTML-Parser-3.83-1.fc40.x86_64
  perl-HTML-Tagset-3.24-1.fc40.noarch
  perl-HTTP-Cookies-6.11-3.fc40.noarch
  perl-HTTP-Date-6.06-4.fc40.noarch
  perl-HTTP-Message-6.46-1.fc40.noarch
  perl-HTTP-Negotiate-6.01-38.fc40.noarch
  perl-I18N-Langinfo-0.22-506.fc40.x86_64
  perl-IO-Compress-2.207-1.fc40.noarch
  perl-IO-Compress-Brotli-0.004001-12.fc40.x86_64
  perl-IO-HTML-1.004-12.fc40.noarch
  perl-LWP-MediaTypes-6.04-17.fc40.noarch
  perl-Math-BigInt-1:2.0030.03-1.fc40.noarch
  perl-Math-Complex-1.62-506.fc40.noarch
  perl-Module-Load-1:0.36-503.fc40.noarch
  perl-NDBM_File-1.16-506.fc40.x86_64
  perl-NTLM-1.09-38.fc40.noarch
  perl-Net-HTTP-6.23-4.fc40.noarch
  perl-PerlIO-utf8_strict-0.010-6.fc40.x86_64
  perl-Sys-Hostname-1.25-506.fc40.x86_64
  perl-Time-HiRes-4:1.9775-502.fc40.x86_64
  perl-TimeDate-1:2.33-14.fc40.noarch
  perl-Try-Tiny-0.31-9.fc40.noarch
  perl-WWW-RobotRules-6.02-39.fc40.noarch
  perl-XML-Dumper-0.81-49.fc40.noarch
  perl-XML-Parser-2.47-3.fc40.x86_64
  perl-libwww-perl-6.77-1.fc40.noarch
  perl-subs-1.04-506.fc40.noarch
  pugixml-1.13-5.fc40.x86_64
  python3-aiodns-3.0.0-10.fc40.noarch
  python3-aiohttp+speedups-3.9.5-1.fc40.x86_64
  python3-babel-2.16.0-1.fc40.noarch
  python3-brotli-1.1.0-3.fc40.x86_64
  python3-click-plugins-1.1.1-19.fc40.noarch
  python3-pycares-4.3.0-6.fc40.x86_64
  python3-pygit2-1.14.0-1.fc40.x86_64
  python3-rpmautospec-0.7.3-1.fc40.noarch
  python3-rpmautospec-core-0.1.5-1.fc40.noarch
  python3-xlrd-2.0.1-15.fc40.noarch
  qemu-audio-alsa-2:8.2.7-1.fc40.x86_64
  qemu-audio-dbus-2:8.2.7-1.fc40.x86_64
  qemu-audio-jack-2:8.2.7-1.fc40.x86_64
  qemu-audio-oss-2:8.2.7-1.fc40.x86_64
  qemu-audio-pa-2:8.2.7-1.fc40.x86_64
  qemu-audio-pipewire-2:8.2.7-1.fc40.x86_64
  qemu-audio-sdl-2:8.2.7-1.fc40.x86_64
  qemu-audio-spice-2:8.2.7-1.fc40.x86_64
  qemu-block-blkio-2:8.2.7-1.fc40.x86_64
  qemu-block-curl-2:8.2.7-1.fc40.x86_64
  qemu-block-dmg-2:8.2.7-1.fc40.x86_64
  qemu-block-gluster-2:8.2.7-1.fc40.x86_64
  qemu-block-iscsi-2:8.2.7-1.fc40.x86_64
  qemu-block-nfs-2:8.2.7-1.fc40.x86_64
  qemu-block-rbd-2:8.2.7-1.fc40.x86_64
  qemu-block-ssh-2:8.2.7-1.fc40.x86_64
  qemu-char-baum-2:8.2.7-1.fc40.x86_64
  qemu-char-spice-2:8.2.7-1.fc40.x86_64
  qemu-common-2:8.2.7-1.fc40.x86_64
  qemu-device-display-qxl-2:8.2.7-1.fc40.x86_64
  qemu-device-display-vhost-user-gpu-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-gpu-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-gpu-ccw-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-gpu-gl-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-gpu-pci-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-gpu-pci-gl-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-gpu-pci-rutabaga-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-gpu-rutabaga-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-vga-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-vga-gl-2:8.2.7-1.fc40.x86_64
  qemu-device-display-virtio-vga-rutabaga-2:8.2.7-1.fc40.x86_64
  qemu-device-usb-host-2:8.2.7-1.fc40.x86_64
  qemu-device-usb-redirect-2:8.2.7-1.fc40.x86_64
  qemu-device-usb-smartcard-2:8.2.7-1.fc40.x86_64
  qemu-kvm-2:8.2.7-1.fc40.x86_64
  qemu-pr-helper-2:8.2.7-1.fc40.x86_64
  qemu-system-x86-2:8.2.7-1.fc40.x86_64
  qemu-system-x86-core-2:8.2.7-1.fc40.x86_64
  qemu-ui-curses-2:8.2.7-1.fc40.x86_64
  qemu-ui-egl-headless-2:8.2.7-1.fc40.x86_64
  qemu-ui-gtk-2:8.2.7-1.fc40.x86_64
  qemu-ui-opengl-2:8.2.7-1.fc40.x86_64
  qemu-ui-sdl-2:8.2.7-1.fc40.x86_64
  qemu-ui-spice-app-2:8.2.7-1.fc40.x86_64
  qemu-ui-spice-core-2:8.2.7-1.fc40.x86_64
  recode-3.7.14-4.fc40.x86_64
  rutabaga-gfx-ffi-0.1.2-3.20230913gitc3ad0e43e.fc40.x86_64
  seabios-bin-1.16.3-2.fc40.noarch
  seavgabios-bin-1.16.3-2.fc40.noarch
  spice-server-0.15.1-4.fc40.x86_64
  touchegg-2.0.16-3.fc40.x86_64
  usermode-1.114-9.fc40.x86_64
  virglrenderer-1.0.1-2.fc40.x86_64
  virtiofsd-1.10.1-1.fc40.x86_64
  virtualbox-guest-additions-7.1.4-1.fc40.x86_64
  wmctrl-1.07-36.fc40.x86_64
  xdg-desktop-portal-xapp-1.0.9-1.fc40.x86_64
  xdpyinfo-1.3.3-5.fc40.x86_64
  xrandr-1.5.2-5.fc40.x86_64
  zlib-ng-2.1.7-2.fc40.x86_64
Changes queued for next boot. Run "systemctl reboot" to start a reboot
Hardening kargs applied."
12

Added secureblue, silverblue

13

actually i had cinnamon desktop with microsoft edge . edge was not working.
so i removed it. but ungoogled chromium does not launch. i got an error for it :frowning:

photo_2024-10-29_20-21-44
photo_2024-10-29_20-21-441280×591 183 KB

14

hi ankur and others i am not sure what the issue could be. can i directly shift to the usual silverblue 41 instead

15

or if this could be fixed

16

rpm-ostree rebase fedora:fedora/41/x86_64/silverblue

If you have layers
rpm-ostree reset

17

thank you

18

what will rpm-ostree reset do

19

Reset it as default all changes and layers removed

1 Like
20

I’d fix the secureblue/silverblue bit here first and then open a different topic for edge/chromium not working.

21

You already switched to secureblue. This is the setup dialog, it literally tells you that you are on secureblue XD

it does some things that may require a reboot.

But please, for secureblue specific stuff use their issue tracker on Github

22

You installed Chromium via Flatpak. Secureblue already has Chromium bundled.

Please use their issuetracker. And please read their docs first, they do a ton of stuff that breaks like everything if you dont know about it

Secureblue is very security hardened. Can be fine, could cause major things like Bluetooth or printing or kde-connect or other things to stop working.