help with secure boot booting from live cd with own MOK key

To: debian-user@lists.debian.org
Subject: help with secure boot booting from live cd with own MOK key
From: Felix <felix@kngnt.org>
Date: Fri, 31 Oct 2025 08:38:36 +0100
Message-id: <[🔎] aa449f7af466b5601ea92b60a644d07d@kngnt.org>

Hi everybody,

I am in the process of automating (currently on a VM, but I want to useit onmy new server) the configuration of a debian trixie with ZFS on root,with FDE,out of a debian livecd. I have it working, but there is a point Idefinitivelywant to improve: Because the ZFS modules are out of kernel, I need todisablesecure boot when the process starts, keep the original kernel around,thenreboot to the configured system, reenable secure boot, register the MOKkey and

then switch to my UKI and remove the old kernel.

I am thinking, instead, in doing the following: modify the ISO to have a

persistent partition, with the hope that I can add there my MOK key,registerit and reboot, and then simplify my configuration process all the wayuntil the

last reboot.

I have tried producing such a remastered ISO, but I am getting an errorthatthe image is not OK, and seems it might be related to the fact that Iadd a

persistence partition (so secureboot stops it there).

Does anybody here have experience with this? Might you guys know if Icanrequest the enroll of a MOK key from a debian livecd, and after a rebootwiththe same livecd in place the key will still be there? Are there anytools

available to create such setup or I have to script my way through?

Thank you!

--
Felix

Reply to:

Prev by Date: Re: Problem dependencies
Next by Date: Re: Debian ships very old software (rplay, paps)
Previous by thread: Re: Problem dependencies
Next by thread: PXE booting a custom Debian installer hangs at "your installation media couldn't be mounted"
Index(es):
- Date
- Thread