Product SiteDocumentation Site

Fedora 18

UEFI Secure Boot Guide

Edition 18.4

Josh Boyer

Fedora Project

Kevin Fenzi

Fedora Project

Peter Jones

Red Hat Install Team

Josh Bressers

Red Hat Product Security Team

Florian Weimer

Red Hat Product Security Team

Edited by

Eric Christensen

Red Hat Product Security Team

Legal Notice

Copyright © 2012-2013 Fedora Project Contributors.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.

1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. We Need Feedback!
1. What is UEFI Secure Boot?
1.1. UEFI Secure Boot
1.2. Microsoft Requirements for Secure Boot
1.2.1. Implementation details
1.3. Fedora Secure Boot
1.4. What does Secure Boot protect you from?
1.5. Potential Secure Boot Risks
1.5.1. Forced removal of features in Secure Boot mode
1.5.2. System Transitions out of Secure Boot
1.5.3. No provisioning infrastructure beyond Microsoft Windows
1.5.4. Unproven Revocation Procedures
2. System Configuration
2.1. Entering the UEFI firmware
2.2. Disabling UEFI Secure Boot
2.3. Enabling Microsoft Secure Boot
2.4. Known issues
3. UEFI Secure Boot Implementation
3.1. Keys
3.2. Shim
3.3. GRUB
3.4. Kernel
3.4.1. Restrictions
4. Tools
4.1. Shim
4.2. Pesign
4.3. EFIKeyGen
4.4. sign-file
5. Using your own keys
5.1. Creating keys
5.2. Making keys for shim's build
5.3. Packages that need rebuilding
5.4. Enrolling your keys in firmware
A. Revision History