Edit Info Other
Login

Secure Boot"

Differences between revisions 3 and 4
Revision 3 as of 2013-02-08 23:06:47
Size: 370
Editor: ktdreyer
Comment: future-proof Fedora versions
Revision 4 as of 2022-04-06 12:37:44
Size: 1794
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
Right now there is no support for the "Secure Boot" feature in RPM Fusion for Fedora 18 and above. Secure Boot is a feature that landed in Fedora 18 and above related securing the boot stages on EFI firmware and required by Windows 10+.
Line 4: Line 4:
You will have to disable it from your UEFI boot. With Fedora 36+, the akmods package have support to automatically sign locally built kmod with a self generated key. Such key must be imported into the EFI firmware (you may have right to access the EFI firmware).
Line 6: Line 6:
The support might land at some point. It's not required to disable secure boot (not even move to BIOS compatibility).


== Securing your key ==
Because the Secure Boot key is available locally on your computer, (by default it's in /etc/pki/akmods) you might need to consider encrypting your rootfs as appropriate in order to protect the key. Please consider this as a mandatory requirement, or consider to transfer the key to an external (and secure) location.

== Importing the key ==
As per the README.secureboot (located at /usr/share/doc/akmods/README.secureboot) you need the following commands:
{{{
# To create the self generated key and certificate:
/usr/sbin/kmodgenca
# To import the key, the command will ask for a password to protect the key
# You will have to enter this password during the special EFI window
mokutil --import /etc/pki/akmods/certs/public_key.der
}}}
Line 10: Line 24:
It's still possible to disable secure boot from the EFI firmware.


== How to use Secure Boot with a self compiled kernel ? ==
It's still WIP, but then 3rd part kmod signature won't work. This is worked on at https://bugzilla.redhat.com/show_bug.cgi?id=2070866

Line 13: Line 34:
* [[http://fedoraproject.org/wiki/Secureboot|Fedora feature on Secure boot]] * [[http://fedoraproject.org/wiki/Secureboot|Fedora initial feature on Secure boot]]
* [[https://pagure.io/fedora-workstation/issue/155| Another RFE related to how to deal with Secure Boot for 3rd part kmod]]

Secure Boot

Secure Boot is a feature that landed in Fedora 18 and above related securing the boot stages on EFI firmware and required by Windows 10+.

With Fedora 36+, the akmods package have support to automatically sign locally built kmod with a self generated key. Such key must be imported into the EFI firmware (you may have right to access the EFI firmware).

It's not required to disable secure boot (not even move to BIOS compatibility).

Securing your key

Because the Secure Boot key is available locally on your computer, (by default it's in /etc/pki/akmods) you might need to consider encrypting your rootfs as appropriate in order to protect the key. Please consider this as a mandatory requirement, or consider to transfer the key to an external (and secure) location.

Importing the key

As per the README.secureboot (located at /usr/share/doc/akmods/README.secureboot) you need the following commands:

# To create the self generated key and certificate:
/usr/sbin/kmodgenca
# To import the key, the command will ask for a password to protect the key
# You will have to enter this password during the special EFI window
mokutil --import /etc/pki/akmods/certs/public_key.der

How to disable Secure Boot

It's still possible to disable secure boot from the EFI firmware.

How to use Secure Boot with a self compiled kernel ?

It's still WIP, but then 3rd part kmod signature won't work. This is worked on at https://bugzilla.redhat.com/show_bug.cgi?id=2070866

* Fedora initial feature on Secure boot * Another RFE related to how to deal with Secure Boot for 3rd part kmod


CategoryHowto

Howto/Secure Boot (last edited 2023-11-14 09:37:58 by anonymous)