[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updated Secure Boot docs in the wiki


Il 31/03/19 08:18, Steve McIntyre ha scritto:
> I've extended and updated Lucas' initial SB page:
>   https://wiki.debian.org/SecureBoot
> to cover a lot more user-facing stuff. Please review...

Thanks for the writing. It is very nice and helpful to read. As a rather
noob user of UEFI things, here are my thoughts after reading, in the
hope they can be useful to make it even better.

 * The trust chain is rather clear to me, and it's nice in that it tries
to move from Microsft to Debian as soon as possible and to the user
itself as soon as possible.

 * I managed to enable Secure Boot on my laptop (Dell Precision 5530)
wihtout problems following instructions in the Testing page. Everything
works, with the small exception that when I run "mokutil --import" the
following is written to the output:

Failed to write MokAuth
Failed to unset MokNew

Sill, after a reboot shim will pickup the key and apparently install
correctly if I give it the password (the key will appear in "mokutil
--list-enrolled"). Similar writing appear when removing the key from
MOK, but again the key apparently correctly disappears and is not listed
any more by "--list-enrolled".

 * I understand what the main shim and the MokManager are for, but what
is FallBack for?

 * I would like to be able to compile and load my own Linux modules,
both because I want to use NVIDIA drivers and because I need to
recompile a mainline module to workaround a problem with the Dell
firmware on my laptop. It would be nice, as Debian, to offer a smooth
workflow for doing this. Is something available already? If I follow the
instructions in [1], linked by the Wiki page, it asks me to execute
"update-secureboot-policy --new-key", which launches a dialog interface
that just asks me whether I want to keep Secure Boot enable or not. It
doesn't actually take into account the option "--new-key". Is this due
to the fact that Debian doesn't have yet a signed version of shim 15?

 [1] https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS

 * Apparently I can change the root Secure Boot keys in my firmware
configuration. I do not know much of how Secure Boot key management
works, but I can modify four things called "db", "dbx", "kek" and "pk",
which is probably what I need to fully decide what can be booted on my
machine and what not, without depending from Microsoft policies. Is it
supported to verify shim at boot time with either Debian or my own key,
removing entirely the dependency on Microsoft? If it is possible, it
would be nice to document this on the Wiki.

Thank you, it is really great to be able to use Secure Boot with Debian,
and especially to have as smooth as possible for end users.

Giovanni Mascellani <g.mascellani@gmail.com>
Postdoc researcher - Université Libre de Bruxelles

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: