I got a new laptop! It is from Novacustom, with Coreboot!
I just swapped in my existing ublue Kinoite SSD and it works fine. But now I want to enable secureboot.
In the BIOS I can either reset to default keys (which may be microsofts?) or I can select a keyfile manually.
As my BIOS is password protected, I would like to only allow Fedora to boot.
But I cannot find such a keyfile in the BOOT or fedora directories?
It needs a DER-encoded X59 certificate
On most laptops it is possible to set the boot devices to prevent booting from external devices (such as USB). If you do that then only the installed OS would be allowed to boot. This should take care of the desire to only allow fedora to boot.
The default keys within the bios would be the correct ones since the fedora kernel/boot loader is already signed with an approved key within that list and fedora uses secure boot regularly.
If I understand correctly Kinoite requires secure boot by default. (I may be wrong with that since I do not use Kinoite)
You can find the Fedora signing key at https://src.fedoraproject.org/rpms/shim-unsigned-x64/tree/rawhide
Thanks, is it somewhere in the Efi partition? At least on Kinoite?
It is in the git repository only, and baked into the shim.
Hmm, not sure if I could add it then, to allow setting it as boot key.
This might not be helpful, but I thought about doing it. After reading this thread I feel like it’s best to leave it for now.
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/NHM3SBBSLWAHNBXZVUK6UOBPGB4VW6FF/#YTJ2ZOU3ILIRSGN3ABHAK4GEEQNCJTXE
The shim is signed by Microsoft, so if you follows the current Fedora boot path (shim → grub → kernel), Microsoft key is still needed.
p.s. Though I do like the idea of having an option to not use shim and enroll a Fedora key.
It would be required, I thought, to enrol the key of the OS you wish to secure boot. So it is the same key that get’s enrolled when you install Fedora (whatever variant) as a secure boot setup. I don’t see the problem with adding it after the fact by enrolling , it resides in the shim as @vekruse noted.
The bios already contains the keys.
The shim used to boot fedora is signed by that key.
As implied in the discussion above, fedora is properly signed, the key is already enrolled in the bios, and the user needs to do nothing more than to boot and install fedora by default. It seems you are misreading whatever instructions are in front of you.
Yes, an os must have signed modules (the shim) to load the kernel when secure boot is enabled.
Fedora already meets that requirement and has for several release versions. Nothing more needs to be done.
thanks yes I know. I was just wondering if I could block any OS from booting apart from Fedora. This would make Windows unbootable, and Ubuntu I guess. The use case is narrow and not really relevant
Just remembered I’ve seen these before. Though I never attempted any of them, seem like big headache…