Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [secure-boot]

Questions for UEFI Secure-Boot, Secure-Boot Key Signing and Management

UEFI secure boot is a protocol of UEFI. Secure boot ensures that the kernel and bootloader you are booting with are trusted and safe. It prevents execution of malicious code during boot.

Nowadays most of the new hardware has support for Secure Boot. Secure Boot can be enabled/disabled using UEFI setting during boot-up.

NOTE: Don't mix Secure Boot with UEFI. Secure Boot is a feature of UEFI but vice-versa is not true.

105 questions
38
votes
2 answers

What exactly is MOK in Linux for?

Upon installing Nvidia drivers I was promoted to set up a MOK password or third party drivers may not work properly, so I created one. After reboot I was presented with a blue MOK management screen with a few options in it, the first one being…
VernonB
  • 493
  • 1
  • 5
  • 10
17
votes
2 answers

The UEFI & SecureBoot impact, how severe?

I'm planning to buy a new laptop in the coming days, and I'm quite impressed with new, cool Ultrabooks. As a long-time GNU/Linux user, I'll of course install a distro of my choice on it. Chances are I'll have to buy a computer with Windows 8…
user27225
13
votes
2 answers

How can I secure the initrd and grub.cfg using secure boot?

I'm using the default ubuntu approach with shim and grub2, combined with my own platform key (self-signing shim with sbsign) and an encrypted root partition, to secure boot my ubuntu installation. But this verifies only grubx64.efi and the kernel,…
Juergen
  • 508
  • 4
  • 13
11
votes
2 answers

"Enroll MOK" dialog after the 1-st reboot when you install Linux Mint 20.1 - what is it for (secure boot)?

I have a dual boot laptop Windows 10 / Linux mint 20. Secure boot enabled and also hard disk encryption, but the latter is maybe not important for the question. By the way, my question is very similar to this one:…
Pavel Tankov
  • 417
  • 2
  • 6
  • 10
8
votes
2 answers

Why does the kernel lockdown prevent hibernation?

In my systemd jounal (journalctl) I often see this message: hibernation is restricted; see man kernel_lockdown.7 This seems to stem from the kernel lockdown feature that (only?) is active when you boot in UEFI mode with secure boot enabled. As far…
rugk
  • 2,806
  • 6
  • 28
  • 58
8
votes
3 answers

Is there a way to enable secure boot in Linux?

Just like Windows has secure boot that prevents any external OS Loader code from running at boot, does Linux have any similar option for itself? I have looked around, but when I search, the only results I get is how to install Linux on a…
Rohan
  • 3,491
  • 9
  • 28
  • 45
6
votes
0 answers

How to hibernate Debian with Secure Boot enabled and fully encrypted disk?

I'd like to be able to hibernate another one of my Debian/KDE machines because it's practical and I'd like to save some energy. I can't hibernate another one which has a swapfile and Secure Boot currently disabled. The machine runs Debian10/KDE, has…
mYnDstrEAm
  • 4,008
  • 13
  • 49
  • 108
5
votes
1 answer

How do I use custom-signed shim for secure boot (Fedora)?

I'm not sure whether there's a guide for this but I'd like to know the detailed steps (step-by-step guide perhaps?) involved in achieving the following: Re-sign shim with a custom CA private key, but still let shim to use Fedora boot CA public key…
user48629
  • 51
  • 1
  • 2
5
votes
0 answers

Issues with booting a custom Kali Linux Live USB on computers with Secure Boot

As a project for a portable copy of my VM workspace and for later use in recovering dead drives (my main laptop is a 2015 model so data rescue is something to be concerned about), I’m trying to create a Kali Linux live usb that will boot on any x86…
OCDkirby
  • 61
  • 5
5
votes
2 answers

Why I can't load signed VirtualBox kernel modules in Debian with SecureBoot enabled?

With Debian testing and SecureBoot enabled: I need to sign VirtualBox modules, as the output of the vboxconfig command says: vboxdrv.sh: Stopping VirtualBox services. vboxdrv.sh: Starting VirtualBox services. vboxdrv.sh: You must sign these kernel…
Kambei
  • 161
  • 1
  • 8
5
votes
1 answer

UEFI Secure boot key restrictions?

Following the instructions here: Secure Boot - ArchWiki worked great last year (2016). However, any keys created since the start of 2017 are refused by my Dell Optiplex 7440's UEFI firmware. I can even set the date on my desktop to 31st Dec 2016 and…
lane
  • 181
  • 8
5
votes
1 answer

How to boot Arch Linux installation medium with Secure Boot enabled?

I've got a new laptop with a Samsung BIOS (version P08AFD) and Aptio Setup Utility. When I try to boot a USB stick with Arch Linux 2016.10.01 it says that the signature is invalid. The documentation seems to assume that I've already booted into Arch…
l0b0
  • 50,672
  • 41
  • 197
  • 360
4
votes
3 answers

Possible to dual boot Linux Mint on any Windows 8 laptop?

I'm searching for a new laptop, and I'm currently considering getting an ASUS N56VZRH71. Everything spec-wise looks good (except for the absence of an SSD), but I want to know if I'll be able to dual boot Linux Mint and Windows 8 on it. I use…
Cornholio
  • 141
  • 1
  • 3
4
votes
1 answer

How come Fedora ignores `module.sig_enforce` kernel parameter if SB is enabled but Arch does not?

I recently secure-booted Arch and Fedora on my RTX3050 equipped laptop. As is the common knowledge, I had to sign my Nvidia modules on Fedora for the kernel to load them. However, I find that same is not the case with Arch. Arch loads the Nvidia…
cryptic
  • 73
  • 1
  • 9
4
votes
2 answers

LUKS + TPM2 + PIN

I am currently aware of two recent methods to bind a LUKS encrypted root partition to a TPM2: systemd-cryptenroll and clevis. Both of them seem to release the encryption key after successfully checking the PCRs the key was sealed against. But I…
Simon
  • 175
  • 2
  • 10
1
2 3 4 5 6 7