Project ID: 55247


This repo contains two packages:

  • sbctl - A command line application for creating and enrolling UEFI secure boot keys and signing UEFI executables.
  • dracut-config-efistub - A kernel install hook and dracut configuration for creating a UKI (unified kernel image) images.

Installation Instructions


Follow the upstream instructions for information on how to create and enroll UEFI secure boot keys.

When a file signing configuration is saved to sbctl's database with -s, eg.:

sbctl sign -s /usr/lib/systemd/boot/efi/systemd-bootx64.efi

then the file will be resigned when the EFI executable is updated due to a package update. This is done via an RPM file trigger, which runs when an .efi file in /boot, /efi, /usr/lib, or /usr/libexec is updated.


Once installed, dracut will create/remove UKI images in <ESP>/EFI/Linux/ when a kernel package is installed/updated/removed. This is done by adding a new kernel install hook that executes dracut --uefi (as opposed to the plain old dracut command used for generating initramfs images). This package does not replace the default dracut behavior. This means both initramfs and UKI images will be generated when the kernel is updated.

Note: It is necessary to manually create /etc/kernel/cmdline with the desired kernel command line (eg. with the contents of /proc/cmdline on the running system) or else the UKIs will not be bootable. After that file is updated, run:

sudo dracut -vf --uefi --regenerate-all

to regenerate the UKIs. If sbctl is also installed, run:

sudo sbctl sign-all

to sign the newly generated UKIs.

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
Fedora 35 x86_64 (8)* Fedora 35 (0 downloads)
Fedora 36 x86_64 (33)* Fedora 36 (0 downloads)
Fedora 37 x86_64 (157)* Fedora 37 (57 downloads)
Fedora 38 x86_64 (87)* Fedora 38 (23 downloads)
Fedora rawhide x86_64 (14)* Fedora rawhide (28 downloads)

* Total number of packages downloaded in the last seven days.

Quick Enable

#> dnf copr enable chenxiaolong/secure-boot
More info about enabling Copr repositories

Other Actions