{"id":20261191,"url":"https://github.com/jellyterra/fedora-secureboot","last_synced_at":"2025-11-30T03:02:21.691Z","repository":{"id":229476034,"uuid":"775923400","full_name":"jellyterra/fedora-secureboot","owner":"jellyterra","description":"Build trusted boot on Fedora.","archived":false,"fork":false,"pushed_at":"2024-03-24T15:43:02.000Z","size":4,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-03-29T20:26:00.676Z","etag":null,"topics":["bootloader","dracut","fedora","secureboot","uefi","unified-kernel-image"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jellyterra.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-03-22T10:13:05.000Z","updated_at":"2024-03-27T10:49:18.000Z","dependencies_parsed_at":"2024-03-24T16:51:25.743Z","dependency_job_id":null,"html_url":"https://github.com/jellyterra/fedora-secureboot","commit_stats":null,"previous_names":["jellytea/fedora-secureboot","jellyterra/fedora-secureboot"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jellyterra%2Ffedora-secureboot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jellyterra%2Ffedora-secureboot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jellyterra%2Ffedora-secureboot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jellyterra%2Ffedora-secureboot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jellyterra","download_url":"https://codeload.github.com/jellyterra/fedora-secureboot/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241722188,"owners_count":20009314,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bootloader","dracut","fedora","secureboot","uefi","unified-kernel-image"],"created_at":"2024-11-14T11:24:35.621Z","updated_at":"2025-11-30T03:02:21.597Z","avatar_url":"https://github.com/jellyterra.png","language":"Shell","readme":"# Fedora SecureBoot Setup Utilities\n\nBuild trusted boot on Fedora and even more distributions.\n\nFor new Linux user, you'd better to understand how the SecureBoot and the scripts works.\n\nFor senior Linux user, you may want to learn more about how the scripts works.\n\nThe process is as follows:\n```bash\nsb-keygen.sh\nsb-update-key.sh\ndracut-uki-gen.sh\nsb-sign-uki.sh\n```\n\n\n## Preparation\n\nInstall dependencies\n- dracut\n- efitools\n- openssl\n- sbsigntools\n- systemd-boot: EFI stub file is required by **dracut**\n\n```bash\ndnf install dracut efitools openssl sbsigntools systemd-boot\n```\n\n\u003e [!CAUTION]\n\u003e Backup your UEFI configuration, ESP and bootloader, have a backup in case the unexpected happens.\n\n\u003e [!NOTE]\n\u003e You may have to disable SecureBoot when setting up under Custom Mode.\n\u003e It depends on your UEFI firmware.\n\n\n## Configure SecureBoot in UEFI Setup\n\n\u003e [!NOTE]\n\u003e It depends on your UEFI firmware.\n\n\n## Setup under Custom Mode: PK, KEK and DB keys\n\n```bash\nsb-keygen.sh\nsb-update-key.sh\n```\n\n\u003e [!IMPORTANT]\n\u003e Make sure your COMPLETELY understand how the commands operate before acting.\n\nReferenced [Simon Ruderich's article](https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed-linux-and-initrd)\n\n### Generate keypairs\n\n```bash\nopenssl req -new -x509 -newkey rsa:2048 -subj \"/CN=PK/\"  -keyout PK.key  -out PK.crt  -days 7300 -nodes -sha256\nopenssl req -new -x509 -newkey rsa:2048 -subj \"/CN=KEK/\" -keyout KEK.key -out KEK.crt -days 7300 -nodes -sha256\nopenssl req -new -x509 -newkey rsa:2048 -subj \"/CN=db/\"  -keyout db.key  -out db.crt  -days 7300 -nodes -sha256\n```\n\n### Translate public keys (certificate) to EFI signature lists\n\n```bash\ncert-to-efi-sig-list PK.crt PK.esl\nsign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth\n\ncert-to-efi-sig-list KEK.crt KEK.esl\nsign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth\n\ncert-to-efi-sig-list db.crt db.esl\nsign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth\n```\n\n### Write PK, KEK, DB public keys into EFI Var\n\n```\nefi-updatevar -f db.auth db\nefi-updatevar -f KEK.auth KEK\nefi-updatevar -f PK.auth PK\n```\n\n\u003e [!TIP]\n\u003e Some UEFI firmwares support enrolling PK, KEK, DB public keys in UEFI Setup interface. It's recommended if your firmware supports.\n\n\u003e [!NOTE]\n\u003e The keys can be reset by UEFI Setup. You don't have to back them up.\n\n\u003e [!IMPORTANT]\n\u003e Protect your UEFI Setup admin password to keep SecureBoot truly effective.\n\n\n## Packing unified kernel image with dracut\n\n```bash\ndracut-uki-gen.sh [kernel version]\n```\n\n**dracut** is a shell script for generating initramfs/initrd image.\nThe ```.conf``` files are shell scripts with environment variable definitions inside.\n\nWrite the kernel cmdline to ```/etc/dracut.conf.d/cmdline.conf```:\n\n```bash\nkernel_cmdline=$(cat /proc/cmdline)\n```\n\n**Alternatively**, you can also add the kernel cmdline as an option to dracut.\n\n```bash\ndracut --kernel-cmdline $(cat /proc/cmdline)\n```\n\nFor **x86_64** machines:\n```bash\ndracut \\\n    --kernel-cmdline $(cat /proc/cmdline) \\\n    --uefi-stub /lib/systemd/boot/efi/linuxx64.efi.stub \\\n    --uefi /boot/efi/EFI/$(uname -r).efi\n```\n\n\n## Signing unified kernel image\n```bash\n$ sb-sign-uki.sh [kernel version]\n```\n\n```bash\nsbsign --key db.key --cert db.crt --output /boot/efi/EFI/$(uname -r).efi /boot/efi/EFI/$(uname -r).efi\n```\n\n\n## Add boot entry to UEFI for the unified kernel image\n\n```bash\nefibootmgr \\\n    -L \"$NAME $VERSION_ID - $(uname -r)\" \\\n    --loader /boot/efi/EFI/$(uname -r).efi \\\n    --create\n```\n\n\n## Enable SecureBoot in UEFI Setup\n\nMake sure everything is ready.\n\nReboot and enter UEFI Setup. Enable SecureBoot.\n\n\n## Check that your SecureBoot settings truly affect\n\nFor this step, you have to check manually. It is **IMPORTANT**!\n\nYou can add another EFI executable without valid signature to UEFI.\nIf it **does not** boot, then SecureBoot does work.\n\n\u003e [!TIP]\n\u003e Copy /boot except /boot/efi to the encrypted disk. Copy them back when update. So that you don't need to protect /boot anymore.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjellyterra%2Ffedora-secureboot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjellyterra%2Ffedora-secureboot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjellyterra%2Ffedora-secureboot/lists"}