Hi, I recently upgraded from 34 to 35 and secureboot was working fine.
I was unhappy with bloat in the 35 and so I decided to reinstall.
On starting the new install I couldn’t boot unless I disabled secure boot in the bios.
How do I install secureboot so that kernels are signed (or do I sign ostree sysroot?) on update?
mtia
verify your downloaded image. With gpg and sha
Hi, I use sha256sum, and it looks ok, but I can’t use gpg, I don’t know how.
Actually, I am going to follow the instructions at https://docs.fedoraproject.org/en-US/fedora/f35/install-guide/install/Preparing_for_Installation/#sect-verifying-images
And am going to reinstall.
I hope it will help
When I installed Silverblue, I had secure boot switched off because I was coming from another distro that required it to be off. Does secure boot matter? Do I need to reinstall with secure boot turned on?
Yes turn it on and it will work with secureboot
There are another ways to use secure boot.
Before performing the following steps, you should check the following points:
- Make sure your system have
shimx64.efi
by check it with$ sudo ls /boot/efi/EFI/fedora/
. - You’re currently using kernel provided by Fedora repos and not using custom kernel.
- Check the content of
grub.cfg
on/boot/efi/EFI/fedora/
if this file still the default one and not modified by using$ sudo /boot/efi/EFI/fedora/grub.cfg
and it show the message similar as below:search --no-floppy --fs-uuid --set=dev 22222-uuid-random-number-33333 set prefix=($dev)/grub2 export $prefix configfile $prefix/grub.cfg
How to change the Fedora boot with secure boot.
First of all, check with efibootmgr
what are efi
file you’re currently uses.
$ efibootmgr -v
From above command, if your system currently not able to boot with secure boot on, you should find a list mentioning Fedora probably with line like this:
...
Boot0001* Fedora HD(1,GPT,6683d850-8044-4312-b685-23fd67805aec,0x800,0x12c000)/File(\EFI\allin\grubx64.efi)
...
It’s ended with grubx64.efi
. To be able to use secure boot on, we need to change this with shimx64.efi
.
Also take a note on boot number. On above example is Boot0001
, means the boot number are 0001
# Delete the old one
$ sudo efibootmgr -B -b 0001
# Add the new one.
# Below are using `/dev/sda`, you should change this part with your hard disk type (check with `lsblk`).
$ sudo efibootmgr -c -d /dev/sda -L fedora -l \\EFI\\fedora\\shimx64.efi
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot the system and go to bios setting to turn on the secure boot. Then go to boot priority list and place the fedora
on first list, save, and boot again.
Just curious here, about why you wouldn’t have chosen to do rpm-ostree reset
after upgrading to Fedora Linux 35 Silverblue, in order to get back to the base commit, so no bloat.
I’m still learning Silverblue. So that command would roll the system back to a factory fresh install, without the need to actually re-install from a USB?
Yes that is precisely what it was intended for, return the OS to the original commit state (with accrued updates) and remove all overlaid packages. Overrides to replacements on the base commit can be reset with this command too I believe.
Wow. Great to know! Hope I dont need to use it.