Re: Working with secureboot

Thu, 17 Jul 2025 07:03:24 -0700 

Tim via users wrote:
> On Wed, 2025-07-16 at 13:39 -0400, Robert McBroom via users wrote:
>> My understanding was that it was a new password entry
> 
> Todd Zullinger's earlier post said:
> 
>>> You should already have the key, which is stored at
>>> /etc/pki/akmods/certs/public_key.der.  The "code" that
>>> GNOME provides is the password for this key.  Check that
>>> the key exists and then proceed from the steps which start
>>> after "Now you need to enroll the public key in MOK" in the
>>> README.secureboot documentation.
> 
> You mentioned that code in your first post on this thread.

But I was wrong there. :)

I haven't used the automated setup of akmods on a system
with secureboot enabled, but I've done each separately.

In poking around a little, the generated key does not appear
to have a passphrase.  That makes sense, since it is used in
automatic builds where there is no (consistent available)
way to prompt the user for it.  The security of the key is
maintained only by file system permissions.

The password/code which is requested is just for MOK to
enroll the key.  For context, the README.secureboot file
says this near the end:

    Now you need to enroll the public key in MOK, this
    process is described below.
    - Ask MOK to enroll new keypair with certificate with the command
      `mokutil --import /etc/pki/akmods/certs/public_key.der`.
    - mokutil asks to generate a password to enroll the public key.
    - Rebooting the system is needed for MOK to enroll the new public
      key.
    - On next boot MOK Management is launched and you have to choose
      "Enroll MOK".
    - Choose "Continue" to enroll the key or "View key 0" to show the
      keys already enrolled.
    - Confirm enrollment by selecting "Yes".
    - You will be invited to enter the password generated above.
      WARNING: keyboard is mapped to QWERTY!
    - The new key is enrolled, and system ask you to reboot.

-- 
Todd

Attachment: signature.asc
Description: PGP signature

-- 
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to