In settings it says "secure boot has problems" although it is enabled

so here is my situation: I installed fedora 40 and used this guide:
https://rpmfusion.org/Howto/Secure%20Boot
to set up secure boot. After i restarted my computer i checked
gnome settings > privacy & security > device security and found out that it was still off, so i did some trouble shouting and found out that it was actually disabled in my uefi settings so i enabled it. when i booted up again and checked the settings it said “secure boot has problems”

image

but when i run
“mokutil --sb-state”
in terminal is says “secure boot enabled”
so i am worried, is it working or not?
what should i do?

Thanks for all your help.

Two places to see the actual secure boot status.
sudo dmesg | grep -i secure
mokutil --sb-state

The gui does other checks and may not be 100% accurate in all cases.
The gui only works with what was available for the developer and might not be totally compatible with your hardware.

1 Like

both the 2 command say that secure boot enabled but the giu for some reason gives that warning… the reason i’m worried is that the gui explains more(lol), it says that it has an invalid key or something or that i need to check my uefi settings but like what do i do???
should i just ignore the warning in gnome settings? or what should i do?

thanks

You can also run mokutil --list-enrolled and if it shows

2bb010e24d fedoraca

you are up-to-date. It should also show the key you enrolled if you enrolled any.

Added secure-boot, security, workstation

I ran it and it showed:

2bb010e24d fedoraca

it also showed the key i am enrolled in, but is there a way to tell if the key is invalid? because the warning i’m getting from gnome settings says that “secure boot is on, but will not work due to having an invalid key”

btw i’m not exactly sure what it means by “invalid key” because i have a key enrolled

Is it possible to create a more detailed report? Without that it is pretty pointless to ask the manufacturer for help.

1 Like

What keys does it show?
Mine shows 4 keys.
One for fedoraca, plus one each for my locally built key for the drivers, grub, and another for fedora. The only one I consciously recall doing deliberately was the host key.

Sometimes the key may expire due to date and would then be best removed, which also can be done with mokutil. You may use man mokutil or mokutil -h to find out what all features are available with mokutil – there are many and the man page gives explanations for each.

With mokutil --list-enrolled --verbose-listing you can get a detailed listing for each key enrolled. You should note that each key listed shows a “Not Before” and “Not After” date and if one has expired it may generate that warning in the settings panel.

Every key in addition to the built-in key “fedoraca” has to have been deliberately added by going through the blue screen dialogue. It could have been a long time ago and could have been while running a previous linux installation.

To remove an entry you need a copy of the .der file used to enroll it. If you no longer have it, you can export the keys using mokutil --export.

i only added one ever(by going through the blue screen). so when i run:
mokutil --list-enrolled
it shows me fedoraca and another one.

I am a begginer, this is my first linux installation ever so i’m struggling to keep up exactly
but what i did was install secure boot from this link :Howto/Secure Boot - RPM Fusion

and install the drivers

Probably something like

0b6189499b akmods local signing CA

but not exactly the same.

I don’t think there are any issues with the mok certificates. If you want to pursue this further, we need a more detailed report from that analysis tool.