I have concluded that using Secureboot, UKI, and signed initrds are not viable under linux distros at this time. There are too many fragile parts. Installs dont support this out of the box. The setup has to be hacked into the system after and it often breaks on system updates. If I need a stable system that doesn't need rescue I cannot use signed secureboot with Linux. Coupled with LUKS, secureboot and uki have the potential to protect us from physical attack vectors but it only works in theory.
sudo dnf install systemd-ukify binutils openssl mokutil sbverify
create keys
sudo mkdir -p /etc/kernel/certs
sudo openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 -keyout /etc/kernel/certs/secure-boot.key.pem -out /etc/kernel/certs/secure-boot.cert.pem -subj "/CN=My-Local-UKI-Key/"
enroll key. note that this requires the key to be in x509 format but the sbverify and uki genertion wants a different format (pem). you may need to keep two formats for the same cert.
sudo mokutil --import /etc/kernel/certs/secure-boot.cert.pem
note that a factory reset may not remove this key from UEFI. the key still shows up after a factory reset when I try to enroll it again.
We have to configure the system to generate the uki images and boot them
echo -e "layout=uki\nuki_generator=ukify" | sudo tee /etc/kernel/install.conf
echo -e "[UKI]\nSecureBootPrivateKey=/etc/kernel/certs/secure-boot.key.pem\nSecureBootCertificate=/etc/kernel/certs/secure-boot.cert.pem" | sudo tee /etc/kernel/uki.conf
now generate the first uki maually since we are not installing new kernels right now which is what triggers this. This command requires pem formatted cert to be configured--even if the mok enroll required the other format.
sudo kernel-install add $(uname -r) /lib/modules/$(uname -r)/vmlinuz
once that works we need to add the kernel to nvram. are we going to have to do this manually every time a new kernel is built? and manually remove old ones?
# Example: --disk /dev/nvme0n1 --part 1 --loader "\\EFI\\Linux\\your-kernel.efi"
sudo su
DEV=/dev/nvme0n1
PART_NUMBER=6
DISK=${DEV}p${PART_NUMBER}
UKI=$(ls -t /boot/efi/EFI/Linux/*.efi | sed 's|/boot/efi||' | head -n1 |sed 's|/|\\|g' )
efibootmgr --create --disk $DEV --part $PART_NUMBER --label "Fedora UKI" --loader "$UKI"
after a kernel update fedora is trashed. It boots but can't load services related to the drives during systemd stupid boot process. Since the system is now bricked I have to start over again.