When I installed fedora using a USB flash drive, I used UEFI boot, but secure boot was not turned on during installation, and I installed a win11+fedora dual system, both of which coexist on the same hard disk.
If I check “Enable Secure Boot” on the BIOS interface, when starting fedora, the BIOS will prompt that it is not supported.
what should I do?
Normally, you can just turn Secure Boot on and off. Fedora’s shim is correctly signed and will be booted with Secure Boot enabled. However, your UEFI implementation may have an additional setting whether to accept only binaries signed with the Microsoft CA or with Microsoft’s open source CA (or some name along those lines).
Edit: It is called “Microsoft 3rd Party UEFI CA”, it is used to sign Linux distro bootloaders, and it is disabled by default, because it “would increase the attack surface” of a device shipping with Windows.
One other potential issue are third party kernel modules that aren’t signed, which also breaks the trust chain of Secure Boot. Do you use any of these?
1 Like
What type of machine are you using? You should check which CA certificates are used for verifying signatures. There’re Dell machines that don’t use Microsoft CA certs, for example. You can, however, enrol them from the BIOS in the secure boot settings in Dell’s case. All secure boot related components in Fedora are signed via MS CA. If your machine uses a different CA for verification, this may be the reason why secure boot fails. If you cleared the CA certificate store of secure boot in your BIOS, this can also make secure boot fail.
EDIT: Oops, @l-c-g was quicker. 
Probably not
$ lsmod | grep nvidia
nvidia_wmi_ec_backlight 12288 0
video 81920 5 nvidia_wmi_ec_backlight,asus_wmi,amdgpu,asus_nb_wmi,nouveau
wmi 32768 6 video,nvidia_wmi_ec_backlight,asus_wmi,wmi_bmof,mxm_wmi,nouveau
So you do use the Nvidia drivers from RPMFusion? I avoid Nvidia, but as far as I understand the RPMFusion package still builds a kernel module, which would need to be signed and the key imported into your UEFI. Check out this page on Secure Boot.
Note that I haven’t used that guide myself and cannot speak to the correctness of the steps. All my machines have hardware that boots with the stock kernel without any third party modules.
ASUSTeK COMPUTER INC. ASUS TUF Gaming A15 FA507UV.
I tried resetting the certificate in the BIOS, but it still didn’t work.
If secure boot is enabled, will the file shimx64.efi be used under /boot/efi/EFI/fedora to boot? I didn’t know what it was before, so I deleted it, but it was generated using the tutorial I gave in the LLM today. I still cannot use this new startup item for secure boot.
No, I didn’t. After installing fedora, I didn’t bother to install the driver. I just left it alone.
Yes, by default Fedora’s boot sequence is shimx64.efi → grubx64.efi → Linux kernel + init.
Hard to say what is going on, since I don’t know what the LLM told you to do to the system. You might have introduced more issues, which makes troubleshooting harder.
Let’s go back to the beginning, have you checked your UEFI to see if you can activate Microsoft’s 3rd Party UEFI CA for Secure Boot?
(Though, quite frankly, after replacing the shim binary with something unknown, I am not sure if I would still trust the integrity of the machine at this point.)
Hard to say what is going on, since I don’t know what the LLM told you to do to the system. You might have introduced more issues, which makes troubleshooting harder.
The tutorial gaved by LLM:
- Reinstall and sign bootloader:
sudo dnf reinstall shim-x64 grub2-efi-x64
sudo grub2-mkconfig -o /etc/grub2-efi.cfg
- Add the current kernel to the “whitelist”
sudo mokutil --disable-validation
- Reboot. Then you will enter the MOK Manager. Change Secure Boot state lastly
Let’s go back to the beginning, have you checked your UEFI to see if you can activate Microsoft’s 3rd Party UEFI CA for Secure Boot?
Thanks. But how to check?
Maybe try to boot from a USB drive to a Fedora live system with secure boot enabled to check that all BIOS setting are alright?
You open the UEFI, navigate to where you have activated Secure Boot before, and look around for additional settings related to the CA. Sorry I can’t be more specific, every UEFI implementation is different and I do not own the same model of laptop.
There are only these options in the BIOS
Security \ Secure Startup Key Management
- Revert to Setup Mode
- Export Safe Boot Parameters
Secure Boot Parameters || Size || Key || Key Source - Platform Key ( PK ) |877|1| factory settings
- Key Exchange Secret Steel || 4229| 3| Factory Settings
- Authorized Signature |7017| 5| Factory Setting
- To disable signature |21629| 432| blending
- Timestamp | 76| 1| Factory Setting
Bold text is not clickable.
I don’t know what to tell you, Thinkpads have a neat little checkbox that clearly says “Enable Microsoft 3rd Party UEFI CA”. Try the parent page, see if you find something there. Or maybe a drop-down to select between “Microsoft OS” and “Other OS”.
But if you find nothing there, either, I suggest you ask in an Asus forum or contact the Asus support.
The easiest check would be to boot the Fedora live from USB with secure boot enabled. If that works you know that your BIOS settings are alright and you need to look at your installation.
I tried booting from the live USB with “Secure Boot” enabled in the BIOS. Live USB prompts “booting in insecure” during the boot process, but after entering the system, the gnome setting interface displays “Secure boot is enabled”
Which one should I believe?
If Secure Boot is available, is there any way to enable it on my existing system?
I used the following command
$ mokutil --sb-state
SecureBoot enabled
SecureBoot validation is disabled in shim
If I turn on verification when secure boot is turned on, MOK Manager will prompt that verification failed and cannot start.
So, I can now enable secure boot, but must turn off verification
That sounds to me like your chain breaks when shim verifies GRUB. Have you made any changes to GRUB like a theme or even just loading a font? Both break Secure Boot.
No, I didn’t.
I just tried it again and found that after booting from live USB, typing mokutil --sb-state will display
SecureBoot enabled
Therefore live USB supports complete secure boot. I think reinstalling Fedora using a live USB should solve this problem, but I don’t know how to do it. I used the Btrfs file system to divide @ @home into two areas. I don’t know if reinstalling will clear my user data, configuration and installed software.
If I turn on verification when secure boot is turned on, MOK Manager will prompt that verification failed and cannot start.
This is an error message
Secure Boot: Shim: Verification failed: (0x1A) Security Violation
Is it helpful to solve this problem?
Same on my Thinkpad with Secure Boot enabled:
~ ❯ mokutil --sb-state
SecureBoot enable
So does the regular installation as you can see from my output.
You can of course do that. You might just end up in the exact same spot. I prefer figuring out what the issue is instead of just YOLO reinstalling and hoping it magically fixes things.
You could remove the @ subvolume, this will throw away all installed packages and all the system configuration you did, but your user data and program configuration for your user would be save in the @home subvolume. Then just create a new @ subvolume and mount @ to / and @home to /home in the installer.
However, if you are unsure what to do (and to me, it sounds like you are), backing up your home is a really really good idea. Proceed with caution.
1 Like