shell script to enable secure boot in nobara
The shell script should work for other distributions, as long as you swap line 13 and 14 with your distribution's sbctl package. You can find the exact command from the ## Install part in https://github.com/Foxboron/sbctl
checkout the arch branch for arch specific script here
- Enter your bios, and reset secure boot to setup mode
- DO NOT enter any other operating system after this. head straight into the nobara boot you want to sign for secure boot
Clone and cd into this repository with
git clone https://github.com/degenerate-kun-69/nobara-secure-boot.git/ && cd nobara-secure-bootthen run the script as root with
sudo sh secureboot-nobara.shPlease open an issue in #issues so i can find the fixes
Everyone is welcome to contribute. fork into this repository and open a pull request along with the description of any changes
Small helper script for signing Nobara/Fedora Secure Boot artifacts with already enrolled sbctl keys.
This script is made for the normal recurring case when keys are already present and enrolled, and you only need to sign new kernels, EFI binaries, or external kernel modules after updates.
Depending on mode, the script can:
- enroll keys one time
- sign all installed kernel images
- sign modules for all installed kernels
- sign only the currently booted kernel and its modules
- validate signatures without changing anything
- sign unsigned EFI binaries reported by
sbctl verify
Kernel modules are signed with the kernel sign-file helper. EFI binaries and kernel images are signed with sbctl.
You need:
- Nobara or Fedora-like system
- root privileges
sbctlmodinfodepmodxzfor.ko.xzmoduleszstdfor.ko.zstmodules
The script can install sbctl automatically unless you use --no-install.
Install the script into /usr/local/sbin so it can be called from anywhere:
sudo install -m 0755 ./sign-secureboot-nobara /usr/local/sbin/sign-secureboot-nobaraCheck that shell can find it:
sudo which sign-secureboot-nobaraExpected output:
/usr/local/sbin/sign-secureboot-nobara
After that you can run it simply as:
sudo sign-secureboot-nobara --validate-onlyIf you do not have your Secure Boot keys created and enrolled yet:
sudo sign-secureboot-nobara --enrollIf you need Microsoft keys too, for example for Windows dual boot:
sudo sign-secureboot-nobara --enroll --microsoftThis is usually needed only once.
Validate everything without modifying files:
sudo sign-secureboot-nobara --validate-onlySign all installed kernels, modules, and EFI binaries:
sudo sign-secureboot-nobara --sign-allSign only current booted kernel and its modules:
sudo sign-secureboot-nobara --sign-currentSign all kernels and modules, but skip EFI binaries:
sudo sign-secureboot-nobara --sign-all --no-efiValidate only modules:
sudo sign-secureboot-nobara --validate-only --no-efi --no-kernelsFor normal maintenance, these two commands are enough:
sudo sign-secureboot-nobara --validate-only
sudo sign-secureboot-nobara --sign-allIf you want faster manual run and you only care about current booted kernel:
sudo sign-secureboot-nobara --sign-currentThis is faster, but it does not sign fallback kernels or not-yet-booted newly installed kernels.
If you want automatic signing after kernel or module related package updates, create DNF post-transaction action.
Create directory if needed:
sudo mkdir -p /etc/dnf/plugins/post-transaction-actions.dCreate file:
sudoedit /etc/dnf/plugins/post-transaction-actions.d/sign-secureboot-nobara.actionPut this content there:
kernel-core*:any:/usr/local/sbin/sign-secureboot-nobara --sign-all --no-efi
kernel-modules*:any:/usr/local/sbin/sign-secureboot-nobara --sign-all --no-efi
kernel*:any:/usr/local/sbin/sign-secureboot-nobara --sign-all --no-efi
akmod-*:any:/usr/local/sbin/sign-secureboot-nobara --sign-all --no-efi
*kmod*:any:/usr/local/sbin/sign-secureboot-nobara --sign-all --no-efi
nvidia*:any:/usr/local/sbin/sign-secureboot-nobara --sign-all --no-efi
This is safer than --sign-current for unattended updates, because it covers all installed kernel versions.
One-time setup mode. It creates keys if missing, enrolls them, then signs all artifacts.
Signs:
- EFI binaries reported by
sbctl verify - all
/boot/vmlinuz-* - all modules under
/lib/modules/*
This is the safest recurring mode.
Signs:
- EFI binaries reported by
sbctl verify /boot/vmlinuz-$(uname -r)- modules under
/lib/modules/$(uname -r)
This is faster, but narrower in scope.
Does not modify anything. It only checks current signing state and exits with non-zero status if unsigned items are found.
This mode is useful for hooks, testing, and troubleshooting.
- The script assumes
sbctlkey material is in:/var/lib/sbctl/keys/db/db.key/var/lib/sbctl/keys/db/db.pem
- Module signing uses the matching kernel
sign-filehelper from:/lib/modules/<kernel>/build/scripts/sign-file- or
/usr/src/kernels/<kernel>/scripts/sign-file
- Compressed modules are decompressed, signed, and compressed again.
depmodis executed after module signing.
The script exits with non-zero status on validation failure or signing errors. This is intentional, so package hooks can detect problems.
Check what sbctl sees:
sbctl status
sbctl verifyCheck signer of one module:
modinfo -F signer /path/to/module.koFor compressed module, unpack it temporarily first.
If script says key material is missing, but you are sure keys were already enrolled, verify that sbctl is using the expected key location.
--sign-current is useful when you want a quick local fix for the running system.
But it leaves behind:
- other installed kernels
- fallback kernels
- newly installed kernels which are not booted yet
- modules for those other kernel versions
Because of this, --sign-all is the better default for package hooks and for regular maintenance.