Advice/instructions for manual Secure Boot enrollment?

jokeyrhyme · June 24, 2025, 11:18pm

howdy!

i have an issue similar to Error enrolling secure boot key

my desktop motherboard ( https://rog.asus.com/au/motherboards/rog-strix/rog-strix-x670e-e-gaming-wifi-model/ ) has never worked with any automatic key enrolment, which is frustrating when i can see it work so perfectly on my laptop

anyhow, it does support manual enrolment of PK, KEK, DB, and DBX files, because i would previously generate my own private key and sign my EFI payloads back when i used Arch btw

what is the manual enrolment process for bazzite / universal-blue ? which files should be enrolled under which of PK/KEK/DB/DBX in order to get Secure Boot enforcement working as expected (whilst enabling this distribution)?

cheers! <3

m2Giles · June 25, 2025, 12:20pm

We do not modify your PK, KEK, DB, or DBX entries. The requirement we have is that your Motherboard have the 3rd Part Microsoft Keys loaded (KEK, DB, and DBX). This should be either the default option for your Motherboard or rarely other OS/3rd Party.

For our signing needs we use the Machine Owner Key mechanism with Shim. Linux will trust a certificate that is loaded through shim as if it were a DB entry or signed by the KEK.

Reload the default keys. Then go through our documentation.

jokeyrhyme · June 26, 2025, 10:47pm

Thanks, didn’t realise this just needed the default Microsoft chain of trust

The MOK is installed and Secure Boot is all enabled for me now, cheers! <3

Topic		Replies	Views
Bluefin LTS - Secure boot enrollment issue General	2	86	March 10, 2026
Secure Boot Notice Bazzite announcements	18	13017	August 23, 2024
Unable to disable secure boot to enroll MOK Bluefin	3	383	November 28, 2024
Resolved: Unable to enable secure boot ASUS H97i-PLUS Bazzite	1	257	April 30, 2025
Error enrolling secure boot key Bluefin	7	677	December 27, 2024

Advice/instructions for manual Secure Boot enrollment?

Related topics