Secure boot with using own UEFI keys?

Hi, now I have a laptop with dasharo coreboot on it but not heads, I wondered if secure boot could be achieved. It seems not from the FAQ, but I found some instructions on Alpine Linux, I’m really not familiar with this area, but that seems feasible at first glance by generating our own keys + signing the kernel?

1 Like

aronowski has attempted this


Thanks both for you!

If you have the NV4x you should be able to use Heads at some point in the near future, there is a Dasharo release planned.


Pretty neat! I’ll need to read more about heads, I’m not sure I fully understand how it works

1 Like

This is a good article breaking down the different secure/verified boot approaches and how they work.

I am using this Laptop and i can confirm that Dasharo, HEADS and measured boot works well on 4.1. However measured boot != secureboot. To shrink this gap i plan on using the nitrokeys FIDO2 feature to achieve the same security goals as secure boot.

Should have pinged me here! I’d immediately post something regarding this topic.

But yes, as posted in that GitHub issue, I’ve been having some trouble with the Xen Unified Image and got stuck here. If one wants to try their luck, however, a good start would be this guide I wrote some time ago, how to get a bit of experience with the UEFI Secure Boot ecosystem on Fedora - with proper RPM recompilation, rather than manual binary signing.

However, for Qubes OS I wanted to first make sure the Xen UKI works in the first place, and then prepare the infrastructure to integrate it further into the Qubes build system.

@solene, please give it a try and tell me, what you think about it.