Secure boot not installed when installing fresh fedora 35 silverblue

Hi, I recently upgraded from 34 to 35 and secureboot was working fine.
I was unhappy with bloat in the 35 and so I decided to reinstall.
On starting the new install I couldn’t boot unless I disabled secure boot in the bios.
How do I install secureboot so that kernels are signed (or do I sign ostree sysroot?) on update?
mtia

verify your downloaded image. With gpg and sha

Hi, I use sha256sum, and it looks ok, but I can’t use gpg, I don’t know how.

Actually, I am going to follow the instructions at https://docs.fedoraproject.org/en-US/fedora/f35/install-guide/install/Preparing_for_Installation/#sect-verifying-images

And am going to reinstall.

I hope it will help

When I installed Silverblue, I had secure boot switched off because I was coming from another distro that required it to be off. Does secure boot matter? Do I need to reinstall with secure boot turned on?

1 Like

Yes turn it on and it will work with secureboot

There are another ways to use secure boot.

Before performing the following steps, you should check the following points:

  1. Make sure your system have shimx64.efi by check it with $ sudo ls /boot/efi/EFI/fedora/.
  2. You’re currently using kernel provided by Fedora repos and not using custom kernel.
  3. Check the content of grub.cfg on /boot/efi/EFI/fedora/ if this file still the default one and not modified by using $ sudo /boot/efi/EFI/fedora/grub.cfg and it show the message similar as below:
    search --no-floppy --fs-uuid --set=dev 22222-uuid-random-number-33333
    set prefix=($dev)/grub2
    export $prefix
    configfile $prefix/grub.cfg
    

How to change the Fedora boot with secure boot.

First of all, check with efibootmgr what are efi file you’re currently uses.

$ efibootmgr -v

From above command, if your system currently not able to boot with secure boot on, you should find a list mentioning Fedora probably with line like this:

...
Boot0001* Fedora	HD(1,GPT,6683d850-8044-4312-b685-23fd67805aec,0x800,0x12c000)/File(\EFI\allin\grubx64.efi)
...

It’s ended with grubx64.efi. To be able to use secure boot on, we need to change this with shimx64.efi.

Also take a note on boot number. On above example is Boot0001, means the boot number are 0001

# Delete the old one
$ sudo efibootmgr -B -b 0001

# Add the new one.
# Below are using `/dev/sda`, you should change this part with your hard disk type (check with `lsblk`).
$ sudo efibootmgr -c -d /dev/sda -L fedora -l \\EFI\\fedora\\shimx64.efi
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Reboot the system and go to bios setting to turn on the secure boot. Then go to boot priority list and place the fedora on first list, save, and boot again.

Just curious here, about why you wouldn’t have chosen to do rpm-ostree reset after upgrading to Fedora Linux 35 Silverblue, in order to get back to the base commit, so no bloat.

2 Likes

I’m still learning Silverblue. So that command would roll the system back to a factory fresh install, without the need to actually re-install from a USB?

Yes that is precisely what it was intended for, return the OS to the original commit state (with accrued updates) and remove all overlaid packages. Overrides to replacements on the base commit can be reset with this command too I believe.

1 Like

Wow. Great to know! Hope I dont need to use it. :wink: