-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How/what to sign so that secure boot can be enabled #44
Comments
I honestly have no idea. A quick search seems to indicate that it might not be that easy, or even possible at all. https://askubuntu.com/questions/642653/loopback-module-for-grub-with-secure-boot If you do find a way, please share! :-) |
See https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk Basically, to boot a Linux kernel with Secure Boot enabled with unpached GRUB2 using |
I've already enrolled a key in the MOK to sign kernel modules I've compiled for Fedora. Am I an easy step away from being able to securely boot from the USB drive? |
It depends on what you want to achieve. If you only want to boot Fedora from HDD or ISO on your current PC with enrolled key, you can probably use signed shim (from shim package) and grub2 (from grub2-efi-x64 package) from Fedora. This bundle does not require key enrolling at all, but it would boot only Fedora. If you want to boot other Linux distros, you'd better use Super UEFIinSecureBoot Disk. Another option is to use unpached GRUB2 (not from Fedora or Ubuntu) with signed shim <= 0.4, it will boot any Linux distribution after GRUB2 hash or key enrolling using MokManager. If you don't want to use Microsoft certificate, if you want to take ownership of UEFI platform and enroll your own keys, you can sign your own shim and grub. |
There's a way. You have to create grub as an image using |
Do you have a recommended procedure for signing GLIM's bits so that secure boot can stay enabled on systems that I control?
The text was updated successfully, but these errors were encountered: