Hi,
I am a complete Linux newbie, started two weeks ago. I’ve got an Asus Expertbook B1503CVA-S72273W - i5-1334U laptop, on which I installed Fedora 43 KDE. To do that, I had to disable Secure Boot, otherwise I wasn’t able to start the installation from a USB stick. Having installed the system, I was told I should re-enable Secure Boot. However, when I do it, I get a Secure Boot Violation error, so the system doesn’t start at all. Also, the system information under Fedora says that Linux kernel blockade (lock? - sorry, I am back-translating from Polish, so not sure about the terminology) and secured UEFI boot are disabled. It also mentions the computer has HSI boot problems and that the PCR0 TPM differs from reconstruction. The computer itself works fine, but I understand the things I describe affect its safety. What should I do?
Secure boot does not protect you from the most common exploits, but adds complexity and may limit what you can do with your hardware. Whether you need it depends on whether you may be a target of organizations with advanced attack capabilities and have effective mitigation for simpler attacks.
First, double check that you’ve upgraded your BIOS to the latest version. Sometimes these updates contain important fixes related to Secure Boot, in addition to other things.
After that, I’d suggest setting your BIOS settings to default or “optimized” settings. Then try to boot from your USB again.
If that still doesn’t work, the default Secure Boot settings might be too strict. Some systems list this as “Microsoft CA only” in the Secure Boot settings. You might need to enable another, more relaxed setting, sometimes called “3rd Party CA”.
If you can provide a photo of your Secure Boot settings screen for your laptop, I might have more specific advice for what you should set.
Had a similar issue today with Secure Boot breaking NVIDIA drivers because it blocks the kernel with NVIDIA drivers.
In your case, it’s blocking the Fedora kernel entirely because the Fedora signature isn’t added to UEFI.
GitHub - roworu/nvidia-fedora-secureboot resolved my specific issue with the NVIDIA drivers missing.
In your case, you can follow Steps 5, 6, and 7 to add the Fedora signature to UEFI:
- Import your key and set a password for it (no need for a complex password)
sudo mokutil --import /etc/pki/akmods/certs/public_key.der - Reboot:
sudo systemctl reboot - MOK manager will ask if you want to proceed with booting or enroll the key. Choose “Enroll MOK” → “Continue” and enter the password created in Step 1.
Otherwise, as mentioned earlier, you can technically keep Secure Boot turned off.
Thank you very much for all the information. I will probably keep Secure Boot off, as I am too new (i.e. too scared 
) to mess too much with UEFI. @yurislnx, I will try to look at the BIOS option as soon as I have some time, and will post what I find. Thanks again.