How to turn on secure boot on Silverblue?

Windows 11 is here and with it - secure boot.

I’m currently running a dual boot configuration with Windows 10 and Fedora 35 Kinoite with secure boot off. I’m trying to figure out how to enable secure boot without resorting to re-installing Fedora. If I turn on secure boot through my computer’s UEFI, the computer doesn’t boot - it just shows a blank black screen at boot up. I’m assuming that’s because since secure boot was not on during Fedora’s installation, it didn’t configure the secure boot shim and thus it’s preventing grub from loading at boot (please let me know if this assumption is incorrect, because my next steps have been based on this assumption). So I figure I need to enable secure boot, and then re-install grub so that it configures the shim correctly.

I’ve found solutions online for Fedora Workstation - which is to turn on secure boot, boot using a Live image, chroot, and reinstall grub.

Sounds like a good plan, but there’s no Live image for Silverblue (I’m assuming booting using a Workstation image is fine?). But secondly, even after chroot, there wouldn’t be a way to dnf reinstall grub, since dnf isn’t available in Silverblue, and that probably wouldn’t be the correct way even if it worked. So what’s the correct procedure to trigger a re-build of the grub config? Even trying to run grub2-mkconfig in chroot throws an error:

# grub2-mkconfig -o /etc/grub2.cfg 
/usr/sbin/grub2-probe: error: cannot find a device for / (is /dev mounted?).

I’ve pieced together some good information from the following resources, but haven’t figured it out yet. Any help is appreciated.

Yes, that or you have to tell your BIOS Setup which Secure Boot shim to trust. It’s certainly signed in Silverblue, you may have trouble signing modules for out of tree drivers (nvidia, realtek or so, in case you need them).

Please see A note on Secure Boot on
Not sure what the latest on this topic is, but Windows 11 could have revoked the key.

Do you know which one it is? I see 3 different shims:

#ls -l /boot/efi/EFI/fedora
total 7176
-rwx------. 1 root root     110 Dec 31  1979 BOOTX64.CSV
drwx------. 2 root root    4096 Dec 31  1979 fonts
-rwx------. 1 root root     144 Aug 31 14:25 grub.cfg
-rwx------. 1 root root 2536712 Dec 31  1979 grubx64.efi
-rwx------. 1 root root 1159560 Dec 31  1979 mmx64.efi
-rwx------. 1 root root 1210776 Dec 31  1979 shim.efi
-rwx------. 1 root root 1204496 Dec 31  1979 shimx64-fedora.efi
-rwx------. 1 root root 1210776 Dec 31  1979 shimx64.efi

Did you ever figure this out?

Not directly, but I reinstalled Kinoite at some point while having secure boot already enabled in BIOS, and it worked.

Interesting. Maybe I’ll just try enabling it and see if it works.

It was really easy to get working actually. I just set /boot/efi/EFI/fedora/shimx64.efi as trusted, and enabled secure boot.