this post was submitted on 08 May 2024
14 points (88.9% liked)

linux4noobs

1424 readers
2 users here now

linux4noobs


Noob Friendly, Expert Enabling

Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.


Seeking Support?

Community Rules

founded 1 year ago
MODERATORS
 
top 6 comments
sorted by: hot top controversial new old
[–] [email protected] 5 points 7 months ago (1 children)

You're looking at bootloaders, not kernels; you need to enroll the kernel with one of those bootloaders. Usually running sudo update-grub while in the OS will automatically detect and add any available kernels to the default version of GRUB.

If you can't boot into the OS, you can select the kernel manually from the GRUB command line: https://www.unix-ninja.com/p/Manually_booting_the_Linux_kernel_from_GRUB

[–] [email protected] 1 points 7 months ago (2 children)

I have the kernel in the bootloader, problem is I need to enroll it with MOK manager to actually boot it in secure boot. But it starts in /boot/efi with no option to go back to /boot so I don't really understand how exactly I'm supposed to do it.

[–] [email protected] 1 points 7 months ago

I've honestly never wrestled with Secure Boot in this way; I usually disable it if it won't let me boot my preferred kernel. From my brief online searches, enrolling your own keys is possible, but that depends on the kernel modules being signed in the first place, and carries risk of bricking devices if not done correctly. So you might just want to disable Secure Boot, or otherwise stick to kernels provided by your distribution.

[–] [email protected] 1 points 7 months ago

https://www.dannyvanheumen.nl/post/secure-boot-linux-shim-mokmanager/ seems to be a good introduction to the concept. Your distribution should have specific documentation on how to make custom kernels and secure boot work if you need more details.

If you have already made a certificate and imported it with mokutil maybe you just need to select the MokManager.efi from your screenshot and start that to enroll the key.

[–] [email protected] 1 points 7 months ago

Update: The file selection seems to begin at /boot/efi/ while the kernel is located in /boot/. Don't know the reason for this.

[–] [email protected] 1 points 7 months ago

generally you need to put your bios into secure boot "setup mode", this changes based on bios but generally requires wiping any keys already enrolled. once you are in setup mode you can boot into your install. depending on your distro you can then sign your kernel+modules and update the tpm. arch wiki has a good guide. also beware each time you update your kernel you need to resign kernel and modules otherwise you won't be able to boot