Hi, I just switched from arch to fedora silverblue. I have secure boot enabled with factory keys (microsoft). How can I sign bootloader and kernel and other stuff with my own keys using something like sbctl? Is this even possible using Fedora Silverblue?
Thank you :)
I’m not very well-versed into all of this, but if what you’re referring to is technically known as Unified Kernel Image, then you should know that unfortunately it’s currently not supported on systems that rely on
ostree
; thus unsupported on Silverblue. A lot of work has been gone into this over the last year, but I’m afraid we’re still (at least) two major releases removed from proper UKI support. For regular Fedora, consider referring to this excellent guide.Signing thr bootloader doesn’t necessarily mean that you have to use UKIs, though they do provide additional security. I believe the Silverblue people intend to use them as a solution to the challenges that come with Silverblue and custom signatures, but on a technical level the files in /efi should still be mutable and therefore signable.
Yeah, you can. I’ve been using this solution for a while now.
Thank you! Thats what I was searching for :)
Edit: akmods requires a ton of dependencies which has to be layered and that defeats the purpose of silverblue… But still thanks
Just disable secure boot, it’s useless
I mean it arguably isn’t useless, but helps to wipe out a whole class of system attacks.
But yes, it’s very difficult to get Linux booting on it and it shouldn’t be and that sucks, because it IS actually quite useFUL.