Like to know where I might learn more about the UEFI boot screen

tldr;
The blue screen on reboot after adding keys for secure boot confuses me and I would like to know more about it and where to learn about it, hopefully with pictures. :sweat_smile:

Sometimes to run software on my Fedora machine I have to sign keys for secure boot.

The documentation provided by fedora called Working with Kernel Modules is very helpful.

There is one part of it that I feel is lacking, and this goes for most other articles or documentation I’ve seen on signing keys for secure boot..

  • They tend to gloss over the reboot process, and what steps to take when you see the Uefi Console. (I may be calling it the wrong thing, I know it mainly as the blue screen that scares me when I reboot after creating keys.)

I’ll show an example the fedora Working with Kernel Modules documentation I mentioned earlier:

  1. Request enrollment of your public key.

mokutil --import my_signing_key_pub.der

  1. Reboot, and complete the enrollment at the UEFI console.

reboot

  1. After the system reboots, verify the keys on the system key ring again.

This line of instructions is probably the most common way I have seen it described. I am still very confused by the blue screen.

My confusions about it can be separated

How to get to the screen:

  1. Does it automatically show up after importing a key with mokutil? (I’ve done this process a few times and I can’t remember if it was automatic or I had to press some key to prompt it).

  2. I feel like I have seen the blue screen pop up but I did not respond in time, and it just booted normally. In those cases how do I reload the screen to reattempt.

What to do once on the screen:

  1. It’s not immediately obvious to me which options to choose or how to determine if I have chosen the right ones. It seems like there could be many possible paths based on the options you choose.

  2. Where is the documentation for this screen? Is it different per distro? Is it the same for all distros?

It sounds to me like you are asking about the mokutil key import screen that shows the first time you reboot after running mokutil import <mykey>

This screen appears once on the first boot after running that import command.
If you tell it to continue booting without completing the import you once again have to run the mokutil import command. Remember that you had to give a password with running that command and that password is needed to actually import the key into the bios on the boot.

Instructions are in /usr/share/doc/akmods/README.secureboot

This is fedora and fedora uses akmods to generate the modules and sign them. Other distros use dkms and the signing process is different. I also believe that importing the keys may be different but do not know for sure. You would need to check with each distro you use.

1 Like

For dkms read this description https://github.com/dell/dkms/blob/master/README.md

It includes screenshots of the blue screens and tells what to do. These instructions are the same as for akmod except for the location of the file specified in mokutil --import command.

1 Like

Thanks, for the help. :pray:

Initiative launched by Intel going to a consortium being UEFI with information here : https://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html. The UEFI boot screen is a hardware interface.

Signing kernel extensions is something completely different, software security framework specific to Linux implemented by mainstream distributions being Red Hat and Debian.

1 Like

Okay thanks. So I think this means the bootscreen could potentially be different per distro since they all might implement this UEFI specifications differently.

Not so much distro specific as bios specific. That screen is presented by the uefi bios before it even reaches the boot loader level

1 Like