So it’s stuck in Setup Mode for now. Note that Secureboot is technically enabled.
evan@crybaby:~$ mokutil --sb-state
SecureBoot disabled
Platform is in Setup Mode
Ideally I would like to add a key owned by Fedora and not use a Microsoft key since they sign so much more stuff. But I think Fedora only signs with a Microsoft key. I’m not sure how I’m supposed to get the Microsoft key to add it.
In the BIOS, when attempting to enroll a key, it puts me into EFI and has me look for a key or hash there.
This means that the system have no keys at all and you have to install them into dp and kek and finally into pk. Storing a key into pk will take the system out of Setup Mode.
Take a look at the sbctl project which should be able to do this task. You can search for "sbctl" in your favorite search engine for more information.
How do I get the Fedora key from that link? I extracted the RPM and the only thing relevant seemed to be shimx64.hash. I enrolled that to my system with
and activated Secureboot, but then I got a secureboot error about the invalid signature. So I don’t think I imported the right thing and/or I also need a Microsoft key?
In summary, this is what I had to do to fix my issue.
Install sbctl - they have a repo for it, but I manually compiled it since it does not work in toolbox and I didn’t want to install it on my host (Fedora Silverblue). Thankfully it was very easy. In toolbox, I ran these commands to compile it.
sudo dnf install golang asciidoc
mkdir build && cd build
git clone https://github.com/foxboron/sbctl.git
cd sbctl
make
From here, I left the toolbox and could run ./sbctl to run the program.