I am trying to set up Secure Boot for my Linux workstation on a Gigabyte Z97X-UD3H motherboard.
I found out that my motherboard calls this "Windows 8 Features" which I therefore turned on. This showed some new settings for Secure Boot which become enabled by default. I changed the other settings as restrictive as possible.
After setting an Administrator password I saved and exited the setup and tried booting the operating system which worked without an issue. Since I am running Fedora 25, I didn't expect any trouble. However, when I enter the BIOS it says that Secure Boot is disabled, even though right below the status it is set to enabled.
At first I thought this is temporary because I haven't restarted the machine, but even after a complete reboot, the system still says "Disabled" (as shown in the screenshot). The administrator password works on the other hand. ;-)
Can someone tell me if this means that Secure Boot works anyways or what I can do to make it work?
Secure boot is a windows only feature... Hence why it was under the "Windows 8 Features" tab. Linux is not going to have software compatibility to take any advantage of this feature.
I'm sorry, but that is not the case. You can in fact sign your own bootloader with your own keys (if your motherboard supports that, mine does and many others probably too) or let Microsoft sign your bootloader with the official keys, that are standard on all computer that ship with Windows 8+.
The latter is what (among others) Ubuntu and Fedora did:
If you trust Wikipedia, here is what they say about that:
Secure boot is supported by Windows 8 and 8.1, Windows Server 2012, and 2012 R2, and Windows 10 and a number of Linux distributions including Fedora (since version 18), openSUSE (since version 12.3),RHEL (since RHEL 7),CentOS (since CentOS 7[49]) and Ubuntu (since version 12.04.2).[50] As of January 2017, FreeBSD support is in a planning stage.[51] Source: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot
Wasn't aware of that, I would try updating the bios then if you haven't already. Never thought secure boot was supported beyond windows, although it does seem either your install of fedora or your motherboard isn't playing nice as it sits right now. Being a new feature as that wiki post reads, I would definitely update the bios although I'm not sure a Z97 board would get any updates to specifically make it work any better on Linux, but its possible.
I was expecting that the system will just refuse to boot, if there was a problem with the bootloader, no matter if it's the OS' or the motherboard's fault.
I feel like there must be a configuration/compatibility problem inside the BIOS or something related to the hardware. I don't think that the board would disable Secure Boot if there was an issue with Fedora, since that would defeat the purpose of having it.
Unfortunately, my motherboard's manual doesn't mention anything interesting about Secure Boot, except what the settings mean, but I can get the same information when I select the options in the BIOS.
Okay, so I am happy to report that I solved this issue. :D
Turns out my motherboard doesn't set the default keys from Microsoft if you set the "Secure Boot Mode" to "Standard". In fact you have to set it to custom, where you would be able to set your own keys too.
After that you need to select the "Key Management" option and either set your own keys or use the option which is hidden in there to set the default keys.
After I confirmed the action and hit F10, I rebooted the system and went back to the BIOS. Now it finally says "Secure Boot state: Enabled". I rebooted again and let the system proceed to booting the OS which worked perfectly with Fedora.
I still need to verify that the system won't boot any random bootloader, but it looks promising so far. :-)
PS: Yes, I took the first screenshot in this post after I already enabled it ;-)
Update: So I tried booting off a Live-CD that I was quite sure doesn't have a Secure Boot signature and the BIOS refused to boot it as expected. When I used the Fedora 25 Live-DVD, it booted just like from my internal hard drive. So I assume that I can be fairly certain, that Secure Boot is working ;-)
