Secure boot discovery

I’m not having any success getting discovery to work with secure boot, any help or advice greatly appreciated.

I want to provision hosts via pxe using discovery. I’m running on ubuntu 20.04 and know that discovery is based on centos so will be signed differently.

I can disable secureboot and discover a host and then enable secure boot and install the os (ubuntu) with secureboot enabled. That works ok.

What do I need to do to get discovery working with secureboot enabled?
For now, I am happy enough to just get disco working, so I know I will probably break the installer if I switch to a different shimx64.
Whatever combination will allow discovery I can then try and work around

Ubuntu 20.04
Foreman 3.6.1


Hi @dgibson

I think you’re spot on with “files are signed with a different key”. Please have a look at Add SecureBoot support for arbitrary distributions. Maybe my colleage can give you a short update on the effort to rework secure boot in Foreman or other small hints. cc @Jan

thanks @maximilian I had read @Jan post and was planning on implementing that approach, but my understanding was that the hosts were being created in foreman and provisioned, not discovered.

My issue is getting foreman discovery to work with secureboot enabled.
Can I confirm that this is indeed supported?

As discovery is centos based, If I was to install foreman on centos would this work out of the box, as it would be signed centos/redhad boot shim.
Do the initd0.img and vmlinuz0 also need to be signed?

thanks again

AFAIK it’s not officially supported (yet)


As long as Add SecureBoot support for arbitrary distributions is not implemented, you could try using Ubuntu-based FDI which can be build with KIWI:

Keep in mind that you can only provision Ubuntu hosts with this approach.


This looks ideal, as it is only Ubuntu hosts that I wish to provision for now. I’ll give it a go, thanks!