Switching to Secure Boot

From Rosalab Wiki
Jump to: navigation, search

If you already have ROSA Desktop Fresh R4 or R5 installed in UEFI mode and want to turn Secure Boot mode on without reinstalling, please, follow the steps below.

  • Update your system so that grub2 and grub2-efi packages were of version 2.00-67 or higher.
  • Install shim or update it to the latest version (0.8-1 or higher) if it is already installed.
  • Make sure that you have EFI partition mounted at /boot/efi.
  • Reinstall the bootloader (/dev/sdXY here is your EFI partition):
# grub2-efi-install /dev/sdXY
  • Update the grub config files:
# update-grub2

Now you can reboot, go to the BIOS settings and switch Secure Boot on.

P.S. Please, note that even though ROSA boots in Secure Boot mode, it cannot be treated as trusted platform. The kernel is not signed, and when it is loaded, the Secure Boot services are exited from and can no longer provide protection from loading untrusted code.