How to enroll fedora public key to uefi?

I have removed all the inbuilt platform keys and enrolled my own keys (PK, KEK and db). I do not want to add Microsoft’s keys.

Now I want to add fedora’s public key to the uefi in addition to my own keys.

  1. How can I do that?
  2. Should I sign fedora’s key with my PK and KEK before enrolling it to UEFI?

You are going around the barn to do something that is very unusual.

Fedora kernels and software is signed to be compatible with keys that are provided for free in most hardware UEFI bios. If you refuse to allow those keys to be used then you will have to recompile and resign every kernel and every kernel module that is already signed by fedora before they can be installed and used.

This to me sounds like extreme paranoia since the keys are in the bios and have nothing to do directly with what microsoft OS may be doing, but only verify the validity of critical software before it may be loaded and run. The same (or similar) keys are used to sign and verify the Linux kernels and modules.

If you want no microsoft keys involved then turn off secure boot and the keys will be unused. If you delete those keys then you still will have secure boot inoperative. If you want to use your own keys exclusively and enable secure boot then welcome to the world of compiling and signing software packages to enable the system to operate.

How will you verify that software you compile does not contain malware? It certainly will never run on any other system that does not have your personal keys loaded.

BTW: one or more of those keys you deleted are the ones used by fedora.

1 Like

May want to take a look at, Building a Custom Kernel :: Fedora Docs

Perhaps you can find the answer on this website http://www.rodsbooks.com/efi-bootloaders/index.html

It is very detailed and very technical. For what you want to do, you will need to get this level of understanding, or you run the risk of bricking your system.

Right now, I’ve signed the kernel with my keys and it’s booting fine now. If anything happens bad or if I forget to sign fedora kernel after update, that’s not going be an issue as I can disable secure boot anytime and it doesn’t brick.

i think updating your bios will restore your old key(the key that fedora default signed with) and then you can use fedora without sign every kernel updates

THe Fedora certificate is baked into the shim, and the UEFI firmware has no knowlege if it.

fedora’s shim needs microsoft keys. I don’t want to use microsoft keys.
I just want to use only my keys and fedora keys.

it is just a cryptographic key there is nothing wrong with this and there is no fedora key i think it is just while booting no other part can start except the kernel sign with that particular key.
now i also think.
to attend security measure we have to relay on that key.
until linux gets into the % and it is provided by the oem.
still i really don’t know where secure boot will do anything. anything sophisticated enough can load into bios.
so you need to shift to coreboot or something.

I have already got fedora’s public key from refind’s rpm package.

I don’t use Microsoft products, so there is no need for me to use and trust Microsoft’s keys.

Did you check the website http://www.rodsbooks.com/efi-bootloaders/index.html ?

Basically it is the same procedure to enroll the fedora key into tdb as to entroll your own key.

Something you might need to pay attention to: The Fedora certificate will expire by the end of this year, and I see that the Fedora kernels are signed with the current Fedora certificate as well as a new one. I don’t see that new certificate being available anywhere on the public internet yet.

I have managed to add fedora’s public key to uefi db list successfully. All I had do to is sign the fedora’s public key with my private keys and enroll it. It was easy, I already knew this before coming here but I asked here to confirm the procedure.

Thanks to those people who are just asking questions like “why do you want that” “why don’t you trust microsoft?” and sounding like impossible thing to do. :rofl:


sudo dmesg | grep "Loaded X.509 cert"
[sudo] password for arun: 
[    0.609839] Loaded X.509 cert 'Fedora kernel signing key: 002dde36c7912ca45a865597ba9330417b11b286'
[    0.654093] integrity: Loaded X.509 cert 'Home: Arun Signature Database: 3d669ad5bf370ac4a5f5d8508f795ccfaa09d9bc'
[    0.654325] integrity: Loaded X.509 cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42'
[    0.656765] Loaded X.509 cert 'Fedora kernel signing key: 002dde36c7912ca45a865597ba9330417b11b286'
[    7.032718] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
❯ efi-readvar -v db                              
Variable db, length 2040
db: List 0, type X509
    Signature 0, size 1092, owner c1f3d934-bb2f-4b6f-a517-8f184b16d41e
        Subject:
            C=xx, ST=xxxx, L=xxxx, O=xxxx, CN=Arun Signature Database, emailAddress=no@email.com
        Issuer:
            C=xx, ST=xxxx, L=xxxx, O=xxxx, CN=Arun Signature Database, emailAddress=no@email.com
db: List 1, type X509
    Signature 0, size 892, owner 605dab50-e046-4300-abb6-3dd810dd8b23
        Subject:
            CN=Fedora Secure Boot CA
        Issuer:
            CN=Fedora Secure Boot CA

that is nice.
i don’t know about that.
and using microsoft key is nothing to do with trusting microsoft. using any key is like trusting the cryptography.