Re: Where are we with SB? What's missing?
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 2018-10-11 at 16:58 +0100, Steve McIntyre wrote:
> > Short howto, hopefully I didn't forget anything:
> > - You need a second way to boot the system!
> > - Grab test cert from src:linux,
> > debian/certs/test-signing-certs.pem
> > - Convert to DER:
> > openssl -inform pem -in test-signing-certs.pem -outform der -out
> > /boot/efi/EFI/debian/testcert.der
> > - Install shim-signed, grub-efi-amd64-signed, linux-image-4.19.0-rc6-
> > amd64 from experimental.
> > - In /boot/efi/EFI/debian:
> > - cp grubx64.efi grubx64.efi.ori
> > - cp mmx64.efi grubx64.efi
> > - Enable Secure Boot and reboot; should boot into MOK (mmx64.efi)
> > - Enroll testcert.der from above
> > - Boot via rescue (might need to disable secure boot)
> > - Restore grub2: cp grubx64.efi.ori grubx64.efi
> > - Reboot with Secure Boot
I also wanted to try Secure-Boot on real hardware. I first followed the same
procedure as you on ThinkPad X230, then following advice on #debian-kernel did
the following on X250:
- - boot without secure boot (current config)
- - install linux-image 4.19+ from experimental
- - install shim-signed and grub-efi-amd64-signed
- - install mokutil
- - convert test cert to DER
- - import DER test cert using mokutil:
mokutil --import debian/certs/test-signing-certs.der
- - reboot
Default configuration actually use shim-signed as default boot entry, which
then sees that there is a request and chainload automatically to mmx64.efi (so
need to rename them).
After another reboot, shim will happily load grub-signed, which in turn will
At that point, you can now enable secure boot in the BIOS and it should work
The mokutil --import step won't be necessary once the kernel is signed with
the production key, since shim already embeds CN=Debian Secure Boot CA (it
appears in mokutil --list-enrolled).
Maybe some more test on non-thinkpads would be nice, but it looks like on the
user part things are looking good (no idea about install media though).
Regarding module signature, they are correctly enforced when booting 4.19 with
secure boot, thanks to lockdown patch. Obviously this breaks out-of-tree
modules as indicated by Ben later in the thread.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----