First of all, thank you to everyone involved in producing this wonderful distro. I was wondering how the secure boot development is coming along. I am very keen to get this on my machines running them as desktops, I know its mostly used as a server os but I like stability of tested secure software. It runs great on my test vm. Thanks again to all the devs and helpers on a great job:)
Okay after 4 days no reply’s, maybe there is no secure boot coming. I am going to install the other clone, seems nobody can answer a simple question which I posted 4 days ago in the development section. Just wondering how are they going to package security updates in a timely manner… very poor communication.
Secure boot is in progress and has been since the project started. We expect to have it wrapped up within the next month or so.
The forum is a little slow, our primary venue for communication is the chat on chat.rockylinux.org. However, good point, I’ll make sure our secure boot progress is stated in the July community update (if it isn’t finished by the time that goes out).
Do you have any timeframe when secure boot will be possible with Rocky Linux ?
Hi @obsti - You can follow the current status here
Basically, we’re just waiting on the shim review now, and are a bit “at the mercy” of that process for our own secureboot.
Hi @neil - thanks for your answer.
Sounds good. I will follow the status an test as it is available
When the process is complete, will we be able to turn on Secure Boot on an already installed VM/Machine? Or will we have to download an updated iso and do a fresh install?
I did enable sb on bare metal that had CentOS 8. No reinstall.
If ELRepo packages are in use, then their key has to be loaded to EFI with mokutil.
Is it possible for Rocky to sign a bootloader/kernel/modules with their own internal CA and allow us to import it into the UEFI to get it to secure boot?
Will it wipe out existing certs in the UEFI or add to the chain of trust?
Or is the answer “It depends on your UEFI”?
I know if something is not so locked down that you can add a cert you should be able to simply disable secureboot, was more curious on if it allows adding to the chain of trust keeping the existing trusted certs so other OS’s can boot.
Or maybe create a competing signing cert process with a different governing body.
There is also the argument “Cause if you not gonna trust US why trust anyone else?” for just leaving one group able to sign the shim.
Regarding using custom keys, there was a similar quesion on RH