You are going around the barn to do something that is very unusual.
Fedora kernels and software is signed to be compatible with keys that are provided for free in most hardware UEFI bios. If you refuse to allow those keys to be used then you will have to recompile and resign every kernel and every kernel module that is already signed by fedora before they can be installed and used.
This to me sounds like extreme paranoia since the keys are in the bios and have nothing to do directly with what microsoft OS may be doing, but only verify the validity of critical software before it may be loaded and run. The same (or similar) keys are used to sign and verify the Linux kernels and modules.
If you want no microsoft keys involved then turn off secure boot and the keys will be unused. If you delete those keys then you still will have secure boot inoperative. If you want to use your own keys exclusively and enable secure boot then welcome to the world of compiling and signing software packages to enable the system to operate.
How will you verify that software you compile does not contain malware? It certainly will never run on any other system that does not have your personal keys loaded.
BTW: one or more of those keys you deleted are the ones used by fedora.
It is very detailed and very technical. For what you want to do, you will need to get this level of understanding, or you run the risk of bricking your system.
Right now, I’ve signed the kernel with my keys and it’s booting fine now. If anything happens bad or if I forget to sign fedora kernel after update, that’s not going be an issue as I can disable secure boot anytime and it doesn’t brick.
i think updating your bios will restore your old key(the key that fedora default signed with) and then you can use fedora without sign every kernel updates
it is just a cryptographic key there is nothing wrong with this and there is no fedora key i think it is just while booting no other part can start except the kernel sign with that particular key.
now i also think.
to attend security measure we have to relay on that key.
until linux gets into the % and it is provided by the oem.
still i really don’t know where secure boot will do anything. anything sophisticated enough can load into bios.
so you need to shift to coreboot or something.
Basically it is the same procedure to enroll the fedora key into tdb as to entroll your own key.
Something you might need to pay attention to: The Fedora certificate will expire by the end of this year, and I see that the Fedora kernels are signed with the current Fedora certificate as well as a new one. I don’t see that new certificate being available anywhere on the public internet yet.
I have managed to add fedora’s public key to uefi db list successfully. All I had do to is sign the fedora’s public key with my private keys and enroll it. It was easy, I already knew this before coming here but I asked here to confirm the procedure.
Thanks to those people who are just asking questions like “why do you want that” “why don’t you trust microsoft?” and sounding like impossible thing to do.
that is nice.
i don’t know about that.
and using microsoft key is nothing to do with trusting microsoft. using any key is like trusting the cryptography.