القائمة
Enroll the Bluefin Secure Boot key to enable signed kernel modules (NVIDIA, custom kmods).
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Create, enter, and manage Distrobox containers for mutable package installation on Bluefin.
ZFS administration on Bluefin — pools, datasets, snapshots, and delivery options for an immutable host that does not ship ZFS kernel modules.
Run, build, and manage OCI containers rootlessly on Bluefin — including Quadlets for persistent systemd-managed services.
Run self-hosted services on Bluefin DX using Podman Quadlets and linuxserver.io containers — persistent, auto-updating, systemd-managed.
Install and manage CLI tools with Homebrew — the primary CLI package manager on Bluefin.
Manage GNOME extensions, gsettings, and desktop customizations on Bluefin — including which settings Bluefin owns vs. which are safe to change.
| name | secure-boot |
| description | Enroll the Bluefin Secure Boot key to enable signed kernel modules (NVIDIA, custom kmods). |
| domain | sysadmin |
Bluefin supports Secure Boot. For out-of-tree kernel modules (NVIDIA drivers, VirtualBox, custom kmods), the Bluefin signing key must be enrolled in the MOK (Machine Owner Key) database. This is a one-time post-install step required on NVIDIA variants and any system using custom kmods.
Load with: point your agent at this file.
# Is Secure Boot enabled in firmware?
mokutil --sb-state
# Output: "SecureBoot enabled" or "SecureBoot disabled"
# List currently enrolled MOK keys
mokutil --list-enrolled
Use the ujust recipe — it handles key location and enrollment automatically:
# Enroll the Bluefin Secure Boot key
ujust enroll-secure-boot-key
When prompted for a password during the MOK enrollment UI at reboot, enter:
universalblue
After running this command:
systemctl rebootuniversalblueThe system will boot normally with the key enrolled. Kernel modules will now load.
This can happen if the MOK enrollment was not queued properly:
# Re-run the enrollment recipe
ujust enroll-secure-boot-key
# Or manually import the key (if you have the .der file)
sudo mokutil --import /path/to/public_key.der
# Set a temporary enrollment password when prompted — you'll enter it at reboot
The Bluefin public key is typically located at /etc/pki/akmods/certs/akmods-ublue.der
or can be retrieved from the image. Use ujust --show enroll-secure-boot-key to see
the exact path used on your image.
If the ujust recipe is unavailable:
# Find the public key in the image
find /etc/pki /usr/share -name "*.der" 2>/dev/null | grep -i ublue
# Import the key
sudo mokutil --import /path/to/public_key.der
# Enter and confirm a temporary enrollment password
# Reboot and complete enrollment at the MOK Manager screen
systemctl reboot
After reboot:
# Check enrolled keys — look for "Universal Blue" or "ublue" in the output
mokutil --list-enrolled
# For NVIDIA: verify the driver module loaded
nvidia-smi # should return GPU info, not an error
| Scenario | Action |
|---|---|
| NVIDIA variant (any) | Enroll key on first boot |
| Rebased to NVIDIA image | Enroll key after rebase + reboot |
| Custom kmod fails to load | Enroll key, then re-trigger kmod build |
| Secure Boot disabled for kmods | Enroll key instead of disabling Secure Boot |