Adding X.509 certificate to UEFI secure boot database?

uefi secure-boot nvidia-geforce fedora-20

You should be able to load the certificate using MokManager.efi so that it's recognized by Shim, and therefore accepted by the kernel. I don't know if Fedora sets its GRUB up so that you can launch MokManager.efi yourself. If not, try booting (with Secure Boot disabled) a USB flash drive with an EFI shell or rEFInd. You should then be able to launch MokManager.efi and load the certificate file. (It will need to be stored on the same disk as the MokManager.efi utility -- probably /boot/efi from within Fedora.)

I'm pretty sure there's a way to add the certificate to the NVRAM from within Linux so that Shim will notice it and ask if it should be used the next time you reboot, but I don't know precisely what it is. Presumably it would involve writing the file to somewhere in the /sys/firmware/efi directory tree.

That said, I've never had to do this specific thing myself, since I don't use proprietary video drivers on any of my computers. It's conceivable there's some extra step you'll need to take.


You would want to use mokutil to enroll the key.

sudo mokutil --import <der file>

You can test if a key is enrolled with

mokutil --test-key <der file>

Related

How do I prevent my bluetooth headphones from waking my computer from standby?
How to clear locally cached OneDrive online-only files
gvfsd-trash's way of clearing the trash
How to let gpg-agent confirm each key usage
Tuxboot vs UNetbootin?
Total, initial, hard drive encryption speed with VeraCrypt
How to make Thunderbird understand local .maildir folder?
Same hard drives, different capacities
In Windows 10 Pro Storage Space, why can't I use ReFS with Parity?
Open link in new tab - Pop-up Blocked
Changing sector size on Samsung 840 SSDs
How to setup Google Now in Chrome for Windows 10 PC