tldr;
The blue screen on reboot after adding keys for secure boot confuses me and I would like to know more about it and where to learn about it, hopefully with pictures.
Sometimes to run software on my Fedora machine I have to sign keys for secure boot.
There is one part of it that I feel is lacking, and this goes for most other articles or documentation I’ve seen on signing keys for secure boot..
They tend to gloss over the reboot process, and what steps to take when you see the Uefi Console. (I may be calling it the wrong thing, I know it mainly as the blue screen that scares me when I reboot after creating keys.)
Reboot, and complete the enrollment at the UEFI console.
reboot
After the system reboots, verify the keys on the system key ring again.
This line of instructions is probably the most common way I have seen it described. I am still very confused by the blue screen.
My confusions about it can be separated
How to get to the screen:
Does it automatically show up after importing a key with mokutil? (I’ve done this process a few times and I can’t remember if it was automatic or I had to press some key to prompt it).
I feel like I have seen the blue screen pop up but I did not respond in time, and it just booted normally. In those cases how do I reload the screen to reattempt.
What to do once on the screen:
It’s not immediately obvious to me which options to choose or how to determine if I have chosen the right ones. It seems like there could be many possible paths based on the options you choose.
Where is the documentation for this screen? Is it different per distro? Is it the same for all distros?
It sounds to me like you are asking about the mokutil key import screen that shows the first time you reboot after running mokutil import <mykey>
This screen appears once on the first boot after running that import command.
If you tell it to continue booting without completing the import you once again have to run the mokutil import command. Remember that you had to give a password with running that command and that password is needed to actually import the key into the bios on the boot.
Instructions are in /usr/share/doc/akmods/README.secureboot
This is fedora and fedora uses akmods to generate the modules and sign them. Other distros use dkms and the signing process is different. I also believe that importing the keys may be different but do not know for sure. You would need to check with each distro you use.
It includes screenshots of the blue screens and tells what to do. These instructions are the same as for akmod except for the location of the file specified in mokutil --import command.
Signing kernel extensions is something completely different, software security framework specific to Linux implemented by mainstream distributions being Red Hat and Debian.
Okay thanks. So I think this means the bootscreen could potentially be different per distro since they all might implement this UEFI specifications differently.