Actually secure boot on Fedora 39
Created: 07.10.2023 20:48 UTC

If you've set up actually secure boot as previously described on this blog on your Fedora installation, you need to make some changes when updating to Fedora 39. Luckily, updating to Fedora 39 won't break your system - it just means the kernel won't be updated anymore. However, this would turn into a problem as soon as dnf removes the modules for the kernel you are using.

As Fedora 39 and systemd-boot worked towards using UKI, some things got changed. In particular, the order of install scripts is different now, and 100-combine-and-sign.install was run too early (it should have been 99). On top of that, objcopy can no longer be used to create an .efi file with the systemd-boot stub and ukify needs to be used instead.

In order to make updating kernels work again, do the following:

sudo rm /etc/kernel/install.d/100-combine-and-sign.install
curl https://blog.nil.im/files/99-combine-and-sign.install | sudo tee /etc/kernel/install.d/99-combine-and-sign.install
# Review the code that was downloaded and printed at the same time by tee.
sudo chmod +x /etc/kernel/install.d/99-combine-and-sign.install
sudo dnf install systemd-ukify
sudo dnf reinstall kernel-core

If you reboot now and execute uname -r, it should contain .fc39 instead of .fc38. If rebooting does not work, boot the linux-old.efi, make a backup of it (e.g. linux-working.efi) and contact me.