Re: Working with secureboot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tim via users wrote:
> On Wed, 2025-07-16 at 13:39 -0400, Robert McBroom via users wrote:
>> My understanding was that it was a new password entry
> 
> Todd Zullinger's earlier post said:
> 
>>> You should already have the key, which is stored at
>>> /etc/pki/akmods/certs/public_key.der.  The "code" that
>>> GNOME provides is the password for this key.  Check that
>>> the key exists and then proceed from the steps which start
>>> after "Now you need to enroll the public key in MOK" in the
>>> README.secureboot documentation.
> 
> You mentioned that code in your first post on this thread.

But I was wrong there. :)

I haven't used the automated setup of akmods on a system
with secureboot enabled, but I've done each separately.

In poking around a little, the generated key does not appear
to have a passphrase.  That makes sense, since it is used in
automatic builds where there is no (consistent available)
way to prompt the user for it.  The security of the key is
maintained only by file system permissions.

The password/code which is requested is just for MOK to
enroll the key.  For context, the README.secureboot file
says this near the end:

    Now you need to enroll the public key in MOK, this
    process is described below.
    - Ask MOK to enroll new keypair with certificate with the command
      `mokutil --import /etc/pki/akmods/certs/public_key.der`.
    - mokutil asks to generate a password to enroll the public key.
    - Rebooting the system is needed for MOK to enroll the new public
      key.
    - On next boot MOK Management is launched and you have to choose
      "Enroll MOK".
    - Choose "Continue" to enroll the key or "View key 0" to show the
      keys already enrolled.
    - Confirm enrollment by selecting "Yes".
    - You will be invited to enter the password generated above.
      WARNING: keyboard is mapped to QWERTY!
    - The new key is enrolled, and system ask you to reboot.

-- 
Todd

Attachment: signature.asc
Description: PGP signature

-- 
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux