: Efistub

Secure your boot process part 2: Fedora and Unified Kernel images made easy with Dracut

I don't use Fedora anymore and these procedures might be considerably outdated. Fedora folks are working on a way to integrate and deploy [UKI by default](https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_2).

As you may notice, this is almost a part 2 of my Secure your boot process: UEFI + Secureboot + EFISTUB + Luks2 + lvm + ArchLinux. Except that here i’ll not talk about all the secureboot stuff that i’ve already ran into on my last blogpost. This one is specifically focused on how to achieve the same setup using Fedora.

This blogpost compiles my personal opinions around using bootloaders on EFI environments so, the classic “opinions expressed here are solely my own and do not express the views or opinions of my employer” applies.

Secure your boot process: UEFI + Secureboot + EFISTUB + Luks2 + lvm + ArchLinux

This guide was created back in 2020, and while the methodology of deploying your own Secure Boot CA remains the same, more modern tools were introduced like `sbctl` which is the de facto standard for generating and deploying your CA or MOK.

This tutorial isn’t a basic setup how-to in a way you will learn how to install Arch Linux, neither is intended to replace the Installation Guide, This is a guide for those who want a laptop with data-at-rest encryption and a verified boot process using SecureBoot.

I’ll not be arrogant saying that this setup is “tampering-proof” since this also depends on your firmware manufacturer, but I believe that this is a notebook setup with good enough security.