- efitools was removed from Fedora 41
- efitools upstream is unmaintained
- sbctl can generate keys and sign, but efi-updatevar is still needed
The upstream efi-updatevar was modified so that it converts the *.auth files to intermediate *.vardata files (by writing to a user-specified file, rather than directly to the efivars filesystem). To avoid confusion, it was also renamed to mkefivardata.
The *.vardata files do not contain the private key used for signing. Hence it is safe to copy them onto an untrusted machine. To enroll the keys, simply copy the vardata files to the appropriate place in the efivars filesystem.
sudo dnf group install c-development
sudo dnf install gnu-efi-devel openssl-develmake clean
make#make DESTDIR=build install
sudo make installInstall sbctl:
sudo dnf copr enable chenxiaolong/sbctl
sudo dnf install sbctlGenerate keys and auth files:
sudo sbctl create-keys
sudo sbctl enroll-keys --microsoft --export authConvert auth files to vardata files:
mkefivardata db.auth db.vardata db
mkefivardata KEK.auth KEK.vardata KEK
mkefivardata PK.auth PK.vardata PKThe remaining steps may only work in setup mode.
To verify that the system is in setup mode, run mokutil --sb-state or sbctl status.
Copy each vardata file to its correct destination in the efivars filesystem:
sudo chattr -i /sys/firmware/efi/efivars/*
sudo cp db.vardata /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
sudo cp KEK.vardata /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
sudo cp PK.vardata /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8cCongratulations, the keys are now enrolled.
Notes:
cp <var>.vardata /sys/...is equivalent toefi-updatevar -f <var>.auth <var>.- The destination filenames in the efivars filesystem may look random, but they are always the same.
- After copying
PK.vardata, the system should not be in setup mode anymore.