I know not everyone is a fan of secure-boot but I recently discovered an easy way to easily setup secure-boot
using a tool called "sbctl", which allowed me to use the Microsoft keys already in your UEFI to sign a custom kernel, but you can also enroll your own custom keys if you prefer to do that. I used the easy option which is using the Microsoft keys because I don't like headaches and over-complicating things when it can be done the easy way.
DISCLAIMER: I AM NOT RESPONSIBLE FOR BRICKING YOUR SYSTEM! DO AT YOUR OWN RISK!
This worked for me on my first try so this is actually that easy with this tool. As example I am on Fedora Workstation.
1. Installation (See installation instructions for your distribution):
Here are the full instructions, I used that and the "sbctl help commands" and off course
all credits go to the official instructions.
EXAMPLE WORKDLOW
USUGE
Some extra steps I did for Fedora Workstation to automate the signing of new/upgraded kernels.
THIS APPLIES TO FEDORA/RHEL based distributions only, other distributions will have another way of
doing something similar.
To show I am not running the Fedora Workstation stock kernel but the CachyOS kernel.
using a tool called "sbctl", which allowed me to use the Microsoft keys already in your UEFI to sign a custom kernel, but you can also enroll your own custom keys if you prefer to do that. I used the easy option which is using the Microsoft keys because I don't like headaches and over-complicating things when it can be done the easy way.
DISCLAIMER: I AM NOT RESPONSIBLE FOR BRICKING YOUR SYSTEM! DO AT YOUR OWN RISK!
This worked for me on my first try so this is actually that easy with this tool. As example I am on Fedora Workstation.
1. Installation (See installation instructions for your distribution):
- Enable copr: sudo dnf copr enable chenxiaolong/sbctl
- Install sbctl: sudo dnf install sbctl
- Reboot
- Enter your UEFI firmware.
- Select secure-boot and then under Keymanagement: "Clear your keys" (Depending on your UEFI version and vendor you should be able to reset your keys).
- Disable secure-boot, save and reboot.
- This will enroll your system with the Microsoft keys: sbctl enroll-keys -m
- This will sign all the kernels that need to be signed and save them to the database: sbctl sign -s /boot/vmlinuz*
- You also need to sign the efi binaries as done with the step above this one in this section that are listed with "sbctl verify". As an example here I will sign one of those from my output of the mentioned command: sbctl sign -s /boot/efi/EFI/fedora/grubx64.efi
- Reboot
- Enter your UEFI.
- Go to boot options and enable secure-boot.
- Select the this option also: “Windows UEFI boot” and “Custom” or “Custom keys”.
- Save and reboot.
- Run: sudo bootctl status (Output should show "Secure Boot: enabled (user)")
- Run: sudo dmesg | grep Secure (Output should show "Secure boot enabled")
- Run sudo sbctl status(Output should show "Setup Mode: disabled" and "Secure Boot: Enabled")
Here are the full instructions, I used that and the "sbctl help commands" and off course
all credits go to the official instructions.
EXAMPLE WORKDLOW
USUGE
Some extra steps I did for Fedora Workstation to automate the signing of new/upgraded kernels.
THIS APPLIES TO FEDORA/RHEL based distributions only, other distributions will have another way of
doing something similar.
- Create actions directory: sudo /etc/dnf/plugins/post-transaction-actions.d
- Creat a file in the previously created directory: 99-sign-kernel.action
- Add the following content to that file.
Code:
kernel-cachyos:in:/usr/bin/sbctl sign -s /boot/vmlinuz*
shim:in:/usr/bin/sbctl sign-all
To show I am not running the Fedora Workstation stock kernel but the CachyOS kernel.
Code:
uname -a
Linux lilith 6.12.9-cb1.0.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jan 10 19:30:52 UTC 2025 x86_64 GNU/Linux
Code:
sudo dmesg | grep Secure
[ 0.002940] Secure boot enabled
Last edited: