Help: Installing Fedora 34 with secureboot on new Thinkpad

Hello,

I just got my new Thinkpad X1 Carbon Gen 9 :grin: and can’t boot with secure boot enabled :sleepy: (I ordered the laptop without OS, since Fedora wasn’t available yet).

I can boot in the Live-session with secure boot turned off and also in secure boot setup mode.

When secure boot is enabled an I select the USB-Stick with Fedora 34 to boot, the computer restarts after a short black screen.

I guess it’s a problem with the secure boot keys.

In the UEFI-BIOS Menu(https://download.lenovo.com/bsco/index.html), under “Security”, “Secure Boot”, “Key Management”, I have a lot of options to enroll Keys (PK, KEK, DB, DBX).

Therefore:

  1. Is there a simple way to boot and install Fedora 34 with secure boot I don’t get?
    If not:
  2. Where can I find the required Keys (I found this: https://docs.fedoraproject.org/en-US/Fedora/18/html/UEFI_Secure_Boot_Guide/chap-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot.html but I’m not sure a Guide / Key for Fedora 18 is still up to date and don’t want to mess something up).
  3. How should I load the required Keys?

Many thanks in advance for any help!

2 Likes

Fedora 34 has a blocker bug https://bugzilla.redhat.com/show_bug.cgi?id=1938630 which is Secure Boot related.

4 Likes

Oh, I see… I guess that should explain the problem, as the laptop came just today with the latest firmware (1.23) witch is dated 31.03.2021, and the db/dbx should exclude the 2018 signature.

Thanks a lot for your input!

3 Likes

It’s confirmed: it works with the test image with the new shim-15.4.3 (https://fedorapeople.org/groups/qa/test_days/).

So the problem will be gone soon.

5 Likes

Thanks for updating back!