Menu
Enroll the Bluefin Secure Boot key to enable signed kernel modules (NVIDIA, custom kmods).
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Basé sur la classification professionnelle SOC
| name | secure-boot |
| description | Enroll the Bluefin Secure Boot key to enable signed kernel modules (NVIDIA, custom kmods). |
| domain | sysadmin |
Bluefin supports Secure Boot. For out-of-tree kernel modules (NVIDIA drivers, VirtualBox, custom kmods), the Bluefin signing key must be enrolled in the MOK (Machine Owner Key) database. This is a one-time post-install step required on NVIDIA variants and any system using custom kmods.
Load with: point your agent at this file.
# Is Secure Boot enabled in firmware?
mokutil --sb-state
# Output: "SecureBoot enabled" or "SecureBoot disabled"
# List currently enrolled MOK keys
mokutil --list-enrolled
Use the ujust recipe — it handles key location and enrollment automatically:
# Enroll the Bluefin Secure Boot key
ujust enroll-secure-boot-key
When prompted for a password during the MOK enrollment UI at reboot, enter:
universalblue
After running this command:
systemctl rebootuniversalblueThe system will boot normally with the key enrolled. Kernel modules will now load.
This can happen if the MOK enrollment was not queued properly:
# Re-run the enrollment recipe
ujust enroll-secure-boot-key
# Or manually import the key (if you have the .der file)
sudo mokutil --import /path/to/public_key.der
# Set a temporary enrollment password when prompted — you'll enter it at reboot
The Bluefin public key is typically located at /etc/pki/akmods/certs/akmods-ublue.der
or can be retrieved from the image. Use ujust --show enroll-secure-boot-key to see
the exact path used on your image.
If the ujust recipe is unavailable:
# Find the public key in the image
find /etc/pki /usr/share -name "*.der" 2>/dev/null | grep -i ublue
# Import the key
sudo mokutil --import /path/to/public_key.der
# Enter and confirm a temporary enrollment password
# Reboot and complete enrollment at the MOK Manager screen
systemctl reboot
After reboot:
# Check enrolled keys — look for "Universal Blue" or "ublue" in the output
mokutil --list-enrolled
# For NVIDIA: verify the driver module loaded
nvidia-smi # should return GPU info, not an error
| Scenario | Action |
|---|---|
| NVIDIA variant (any) | Enroll key on first boot |
| Rebased to NVIDIA image | Enroll key after rebase + reboot |
| Custom kmod fails to load | Enroll key, then re-trigger kmod build |
| Secure Boot disabled for kmods | Enroll key instead of disabling Secure Boot |
Create, enter, and manage Distrobox containers for mutable package installation on Bluefin.
ZFS administration on Bluefin — pools, datasets, snapshots, and delivery options for an immutable host that does not ship ZFS kernel modules.
Run, build, and manage OCI containers rootlessly on Bluefin — including Quadlets for persistent systemd-managed services.
Run self-hosted services on Bluefin DX using Podman Quadlets and linuxserver.io containers — persistent, auto-updating, systemd-managed.
Install and manage CLI tools with Homebrew — the primary CLI package manager on Bluefin.
Manage GNOME extensions, gsettings, and desktop customizations on Bluefin — including which settings Bluefin owns vs. which are safe to change.