DOKK Library

UEFI Secure Boot

Authors Jason Self

License GPL-3.0-or-later

Plaintext 
jxself.org


UEFI Secure Boot                                                                           Home

Wed, 7 Aug 2019                                                                            Linux-libre
My kernel packages for 32- and 64-bit x86 now support UEFI Secure Boot.
                                                                                           GitWeb
I've generated a Machine Owner Key (MOK) for this purpose. People that have
machines that support Secure Boot, and that want to use it, can enroll this key on their   How To
computer to verify the kernel when booting.
                                                                                           Articles
It's possible to enable Secure Boot on a system that already has an existing Linux-
libre installation. This is a multi-step process.
                                                                                           RSS Feed
First you should make sure that your GNU/Linux distro and your hardware really do
support UEFI Secure Boot.                                                                  About Me
If they do, and you want to use it, you should fetch and install the key with which the
kernels are signed:
                                                                                           Contact Me

  wget https://jxself.org/linux-libre-mok.cer                                              GPL enforced

Check that it's the right one. The fingerprint is provided below as both SHA-1 and
SHA-256 because SHA-256 is more secure but the mokutil program and MOK                      If you appreciate any of the things I
Manager will show the SHA-1. Providing both here allows for easy comparison.                am doing you can make a donation.

  openssl x509 -noout -fingerprint -sha1 -inform der -in linux-
  libre-mok.cer

  EA:6D:07:60:A3:DC:1E:8A:BF:41:F4:4A:F1:FF:D1:2E:C8:63:E5:7B

  openssl x509 -noout -fingerprint -sha256 -inform der -in linux-
  libre-mok.cer

  5A:39:E0:D2:DD:1E:EF:F4:DB:D3:0A:F4:1E:CA:72:7E:B7:E7:FC:1F:5A:4B:88:CC:CE:3B:52:0C:D9:66:76:FF

As long as it matches, enroll the key. Note that enrolling a key is a multistep process.
mokutil is used to start the process but the change can only be confirmed at boot
time. First:

  sudo mokutil --import linux-libre-mok.cer
You will be asked for a temporary password for this enrollment request. Remember
this password; MOK Manager will ask you for it later.

Check that it's prepared to be enrolled:

  sudo mokutil --list-new

Then restart:

  sudo reboot

The MOK Manager screen should appear after your UEFI boot screen but before your
GNU/Linux distro boots to confirm that the key should be added. Follow the on-screen
instructions to finish enrolling the key.

Once completed you can check that it was enrolled:

  sudo mokutil --list-enrolled

Once the key has been enrolled you should also enable validation in the shim
bootloader:

  sudo mokutil --enable-validation

Once again you will be asked for a temporary password. Make sure to remember it.

Restart again:

  sudo reboot

The MOK Manager screen should appear once again. Follow the on-screen
instructions to enable validation.

As the last step, make sure that Secure Boot is enabled at the firmware level:

  mokutil --sb-state

You should see:

  SecureBoot enabled

If not please reboot and modify your UEFI firmware settings to turn on Secure Boot.
There are many different user interfaces and I can't cover them all. It may be
necessary to refer to the information about the make and model of your computer to
finalize Secure Boot.
Copyright © 2019 Jason Self. See license.shtml for license conditions. Please copy and share.