Hi, I just switched from arch to fedora silverblue. I have secure boot enabled with factory keys (microsoft). How can I sign bootloader and kernel and other stuff with my own keys using something like sbctl? Is this even possible using Fedora Silverblue?

Thank you :)

  • throwawayish@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    I’m not very well-versed into all of this, but if what you’re referring to is technically known as Unified Kernel Image, then you should know that unfortunately it’s currently not supported on systems that rely on ostree; thus unsupported on Silverblue. A lot of work has been gone into this over the last year, but I’m afraid we’re still (at least) two major releases removed from proper UKI support. For regular Fedora, consider referring to this excellent guide.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Signing thr bootloader doesn’t necessarily mean that you have to use UKIs, though they do provide additional security. I believe the Silverblue people intend to use them as a solution to the challenges that come with Silverblue and custom signatures, but on a technical level the files in /efi should still be mutable and therefore signable.

    • chevy9294@monero.townOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Thank you! Thats what I was searching for :)

      Edit: akmods requires a ton of dependencies which has to be layered and that defeats the purpose of silverblue… But still thanks

    • sunbeam60@lemmy.one
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      I mean it arguably isn’t useless, but helps to wipe out a whole class of system attacks.

      But yes, it’s very difficult to get Linux booting on it and it shouldn’t be and that sucks, because it IS actually quite useFUL.