HowTo: Linux and Secure boot

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
8,116
Reaction score
6,574
Credits
59,696
I know not everyone is a fan of secure-boot but I recently discovered an easy way to easily setup secure-boot
using a tool called "sbctl", which allowed me to use the Microsoft keys already in your UEFI to sign a custom kernel, but you can also enroll your own custom keys if you prefer to do that. I used the easy option which is using the Microsoft keys because I don't like headaches and over-complicating things when it can be done the easy way.

DISCLAIMER: I AM NOT RESPONSIBLE FOR BRICKING YOUR SYSTEM! DO AT YOUR OWN RISK!

This worked for me on my first try so this is actually that easy with this tool. As example I am on Fedora Workstation.

1. Installation (See installation instructions for your distribution):
  1. Enable copr: sudo dnf copr enable chenxiaolong/sbctl
  2. Install sbctl: sudo dnf install sbctl
  3. Reboot
2. Clear your current keys:
  1. Enter your UEFI firmware.
  2. Select secure-boot and then under Keymanagement: "Clear your keys" (Depending on your UEFI version and vendor you should be able to reset your keys).
  3. Disable secure-boot, save and reboot.
3. Enroll your keys:
  1. This will enroll your system with the Microsoft keys: sbctl enroll-keys -m
  2. This will sign all the kernels that need to be signed and save them to the database: sbctl sign -s /boot/vmlinuz*
  3. You also need to sign the efi binaries as done with the step above this one in this section that are listed with "sbctl verify". As an example here I will sign one of those from my output of the mentioned command: sbctl sign -s /boot/efi/EFI/fedora/grubx64.efi
  4. Reboot
4. Enable secure-boot:
  1. Enter your UEFI.
  2. Go to boot options and enable secure-boot.
  3. Select the this option also: “Windows UEFI boot” and “Custom” or “Custom keys”.
  4. Save and reboot.
5. Now you should be booted using secure boot, verify that are using secure-boot.
  1. Run: sudo bootctl status (Output should show "Secure Boot: enabled (user)")
  2. Run: sudo dmesg | grep Secure (Output should show "Secure boot enabled")
  3. Run sudo sbctl status(Output should show "Setup Mode: disabled" and "Secure Boot: Enabled")
6. Credit where credit is due:
Here are the full instructions, I used that and the "sbctl help commands" and off course
all credits go to the official instructions.
EXAMPLE WORKDLOW
USUGE

Some extra steps I did for Fedora Workstation to automate the signing of new/upgraded kernels.
THIS APPLIES TO FEDORA/RHEL based distributions only, other distributions will have another way of
doing something similar.
  1. Create actions directory: sudo /etc/dnf/plugins/post-transaction-actions.d
  2. Creat a file in the previously created directory: 99-sign-kernel.action
  3. Add the following content to that file.
Code:
kernel-cachyos:in:/usr/bin/sbctl sign -s /boot/vmlinuz*
shim:in:/usr/bin/sbctl sign-all

To show I am not running the Fedora Workstation stock kernel but the CachyOS kernel.
Code:
uname -a
Linux lilith 6.12.9-cb1.0.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jan 10 19:30:52 UTC 2025 x86_64 GNU/Linux

Code:
sudo dmesg | grep Secure
[    0.002940] Secure boot enabled
 
Last edited:


sbctl doesn't exist in every distro, it doesn't exist in Debian repo where mokutil is used instead.
True but I found "mokutil" a headache utility where you would have to either create your own keys manually or find a another way to export your current keys manually. While "sbctl" does all that headache stuff for your. Also easy enough to compile it from source.
Code:
$ git clone https://github.com/foxboron/sbctl.git
$ cd sbctl
$ make
$ ./sbctl
However I did just notice this. So I guess you can just a combination of both using the following to generate your keys, however I have no idea what keys this includes and if this also includes the Microsoft keys.
Code:
sudo kmodgenca -a
And then "mokutil" to import.
Code:
sudo mokutil --import /etc/pki/akmods/certs/public_key.der
I haven't tried this but I sure find "sbctl" easier but I guess it's what your prefer to use since it's a tool that does the whole process for you. I just thought I would share "sbctl" here since it's the first time I had heard of it before the other day.
 
Last edited:

Members online


Top