|
Size: 359
Comment:
|
← Revision 11 as of 2024-04-05 19:34:01 ⇥
Size: 2719
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## Please edit system and help pages ONLY in the master wiki! ## For more information, please see MoinMoin:MoinDev/Translation. ##master-page:Unknown-Page ##master-date:Unknown-Date #acl -All:write Default #format wiki #language en <<TableOfContents(5)>> |
|
| Line 2: | Line 11: |
| Right now there is no support for the "Secure Boot" feature in RPM Fusion for Fedora 18. | Secure Boot is a feature that landed in Fedora 18 and above related securing the boot stages on EFI firmware and required by Windows 10+. |
| Line 4: | Line 13: |
| You will have to disable it from your UEFI boot. | With Fedora 36+, the akmods package have support to automatically sign locally built kmod with a self generated key. Such key must be imported into the EFI firmware (you must have right to access the EFI firmware). |
| Line 6: | Line 15: |
| The support might land at some point. | It's not required to disable secure boot (not even move to BIOS compatibility). == Securing your key == Because the Secure Boot key is available locally on your computer, (by default it's in /etc/pki/akmods) you might need to consider encrypting your rootfs as appropriate in order to protect the key. Please consider this as a mandatory requirement, or consider to transfer the key to an external (and secure) location. or even use an hardware token == Importing the key == Install the following tools: `sudo dnf install kmodtool akmods mokutil openssl` The steps are described below. Refer to /usr/share/doc/akmods/README.secureboot for more information. To generate a key with the default values: `sudo kmodgenca -a` Now you need to enroll the public key in MOK, enroll the new keypair with certificate with the command `sudo mokutil --import /etc/pki/akmods/certs/public_key.der` Mokutil asks to generate a password to enroll the public key. You will need this soon. Rebooting the system is needed for MOK to enroll the new public key. `systemctl reboot` On the next boot MOK Management is launched and you have to choose "Enroll MOK" Choose "Continue" to enroll the key or "View key 0" to show the keys already enrolled. Confirm enrollment by selecting "Yes". You will be invited to enter the password generated above. WARNING: keyboard is mapped to QWERTY! The new key is enrolled, and the system asks you to reboot. |
| Line 10: | Line 53: |
| It's still possible to disable secure boot from the EFI firmware. == How to use Secure Boot with a self compiled kernel ? == It's still WIP, but then 3rd part kmod signature won't work. This is worked on at https://bugzilla.redhat.com/show_bug.cgi?id=2070866 |
|
| Line 13: | Line 62: |
| * [[http://fedoraproject.org/wiki/Secureboot|Fedora feature on SecureBoot]] | |
| Line 15: | Line 63: |
| * [[http://fedoraproject.org/wiki/Secureboot|Fedora initial feature on Secure boot]] * [[https://pagure.io/fedora-workstation/issue/155| Another RFE related to how to deal with Secure Boot for 3rd part kmod]] |
Contents
Secure Boot
Secure Boot is a feature that landed in Fedora 18 and above related securing the boot stages on EFI firmware and required by Windows 10+.
With Fedora 36+, the akmods package have support to automatically sign locally built kmod with a self generated key. Such key must be imported into the EFI firmware (you must have right to access the EFI firmware).
It's not required to disable secure boot (not even move to BIOS compatibility).
Securing your key
Because the Secure Boot key is available locally on your computer, (by default it's in /etc/pki/akmods) you might need to consider encrypting your rootfs as appropriate in order to protect the key. Please consider this as a mandatory requirement, or consider to transfer the key to an external (and secure) location. or even use an hardware token
Importing the key
Install the following tools:
sudo dnf install kmodtool akmods mokutil openssl
The steps are described below. Refer to /usr/share/doc/akmods/README.secureboot for more information.
To generate a key with the default values:
sudo kmodgenca -a
Now you need to enroll the public key in MOK, enroll the new keypair with certificate with the command
sudo mokutil --import /etc/pki/akmods/certs/public_key.der
Mokutil asks to generate a password to enroll the public key. You will need this soon.
Rebooting the system is needed for MOK to enroll the new public key.
systemctl reboot
On the next boot MOK Management is launched and you have to choose "Enroll MOK"
Choose "Continue" to enroll the key or "View key 0" to show the keys already enrolled.
Confirm enrollment by selecting "Yes".
You will be invited to enter the password generated above.
WARNING: keyboard is mapped to QWERTY!
The new key is enrolled, and the system asks you to reboot.
How to disable Secure Boot
It's still possible to disable secure boot from the EFI firmware.
How to use Secure Boot with a self compiled kernel ?
It's still WIP, but then 3rd part kmod signature won't work. This is worked on at https://bugzilla.redhat.com/show_bug.cgi?id=2070866
Links
* Fedora initial feature on Secure boot
* Another RFE related to how to deal with Secure Boot for 3rd part kmod