Product SiteDocumentation Site

1.3. Fedora Secure Boot

The Fedora Secure Boot implementation has a single security objective: it prevents the execution of unsigned code in kernel mode.
Fedora can boot on systems with Microsoft Secure Boot enabled, provided the Microsoft certificate for third-party UEFI applications is installed. This mode of operation is most important for installing Fedora on machines which have been prepared for Windows 8. Other hardware is not likely to provide a Microsoft Secure Boot environment.


Third-party UEFI boot loaders (such as the Fedora boot loader) are not guaranteed to work on Microsoft Secure Boot systems because the necessary certificates are not part of the Windows 8 Hardware Certification Requirements. If your hardware is in this category, you need to switch off UEFI Secure Boot, enroll the missing Microsoft certificate, or enroll the Fedora certificate.
Fedora boots on UEFI systems which do not support or have disabled Secure Boot, too. This works with all UEFI boot loaders. These boot loaders also support running in an environment which performs boot path validation by other (non-UEFI) means. In this mode, there are no restrictions on executing code in kernel mode.
Details of the Fedora Secure Boot implementation are covered in Chapter 3, UEFI Secure Boot Implementation. Restrictions on kernel mode code execution disables certain functionality, see Section 3.4.1, “Restrictions”.