so here is my situation: I installed fedora 40 and used this guide: https://rpmfusion.org/Howto/Secure%20Boot
to set up secure boot. After i restarted my computer i checked
gnome settings > privacy & security > device security and found out that it was still off, so i did some trouble shouting and found out that it was actually disabled in my uefi settings so i enabled it. when i booted up again and checked the settings it said “secure boot has problems”
but when i run
“mokutil --sb-state”
in terminal is says “secure boot enabled”
so i am worried, is it working or not?
what should i do?
Two places to see the actual secure boot status. sudo dmesg | grep -i secure mokutil --sb-state
The gui does other checks and may not be 100% accurate in all cases.
The gui only works with what was available for the developer and might not be totally compatible with your hardware.
both the 2 command say that secure boot enabled but the giu for some reason gives that warning… the reason i’m worried is that the gui explains more(lol), it says that it has an invalid key or something or that i need to check my uefi settings but like what do i do???
should i just ignore the warning in gnome settings? or what should i do?
it also showed the key i am enrolled in, but is there a way to tell if the key is invalid? because the warning i’m getting from gnome settings says that “secure boot is on, but will not work due to having an invalid key”
btw i’m not exactly sure what it means by “invalid key” because i have a key enrolled
What keys does it show?
Mine shows 4 keys.
One for fedoraca, plus one each for my locally built key for the drivers, grub, and another for fedora. The only one I consciously recall doing deliberately was the host key.
Sometimes the key may expire due to date and would then be best removed, which also can be done with mokutil. You may use man mokutil or mokutil -h to find out what all features are available with mokutil – there are many and the man page gives explanations for each.
With mokutil --list-enrolled --verbose-listing you can get a detailed listing for each key enrolled. You should note that each key listed shows a “Not Before” and “Not After” date and if one has expired it may generate that warning in the settings panel.
Every key in addition to the built-in key “fedoraca” has to have been deliberately added by going through the blue screen dialogue. It could have been a long time ago and could have been while running a previous linux installation.
To remove an entry you need a copy of the .der file used to enroll it. If you no longer have it, you can export the keys using mokutil --export.
i only added one ever(by going through the blue screen). so when i run: mokutil --list-enrolled
it shows me fedoraca and another one.
I am a begginer, this is my first linux installation ever so i’m struggling to keep up exactly
but what i did was install secure boot from this link :Howto/Secure Boot - RPM Fusion
I don’t think there are any issues with the mok certificates. If you want to pursue this further, we need a more detailed report from that analysis tool.