Elaborate Secure boot article

[dngray]

Description

URL of affected page: https://www.privacyguides.org/linux-desktop/hardening/#secure-boot

We should probably elaborate there a little on Dynamic Kernel Module Support (DKMS) and Akmods and how to sign them.

These come up when using virtualization software, NVIDIA drivers etc.

While it's not great to sign kernel modules blindly, it's better than disabling secure boot.

The alternative is to use the shim and Machine Owner Key (MOK).

[dngray]

Another thing that I wouldn't mind mentioning here is the use of sbctl. It makes managing secure boot with your own keys so much easier. Currently available on a variety of distributions.

I've been working on packaging this for Fedora. I have used it successfully on Archlinux that it works successfully.

• https://saligrama.io/blog/post/upgrading-personal-security-evil-maid/#enrolling-your-key-into-secure-boot
• https://lunaryorn.com/secure-boot-on-arch-linux-with-sbctl-and-dracut
• https://wiki.archlinux.org/title/User:Krin/Secure_Boot,_full_disk_encryption,_and_TPM2_unlocking_install

[dngray]

These come up when using virtualization software, NVIDIA drivers etc.

https://www.phoronix.com/news/Fedora-NVIDIA-Secure-Boot