Enabling Secure Boot in MX Linux

[fehlix]

Perhaps, you "still" might not know, we have a nice Chroot-Rescue-Scan available from the Whisker menu.
Suggest, to provide MX-Recipes with using MX Tools, no need to extra install tools, which are already available.

In addition, for anyone who just wants to try secure boot out, the procedure provided might create non-bootable menu entries, for other installed systems. Mainly due to the fact that the os-prober used by MX was adjusted to allow the generation of valid Manjaro Grub-menu-entries. So you would either need also to "downgrade" os-prober, which would give you unbootable manjaro entries - or manual adjust the generated invalid menu-entries.

[Head_on_a_Stick]

Suggest, to provide MX-Recipes with using MX Tools, no need to extra install tools, which are already available.

I'm not sure how the Chroot-Rescue-Scan tool would be useful for enabling Secure Boot

The guide originally advised using arch-chroot(1) from the live system but that was only because I copy&pasted it from a thread wherein the user could not boot their system at all. I've since modified it to work without that step.

for anyone who just wants to try secure boot out, the procedure provided might create non-bootable menu entries, for other installed systems. Mainly due to the fact that the os-prober used by MX was adjusted to allow the generation of valid Manjaro Grub-menu-entries.

My guide does not change the installed version of the os-prober package so workable Arch-based menu entries should still be present (AFAICT).

That problem is currently being worked on upstream: https://bugs.debian.org/cgi-bin/bugrepo ... bug=820838

[fehlix]

for anyone who just wants to try secure boot out, the procedure provided might create non-bootable menu entries, for other installed systems. Mainly due to the fact that the os-prober used by MX was adjusted to allow the generation of valid Manjaro Grub-menu-entries.

My guide does not change the installed version of the os-prober package so workable Arch-based menu entries should still be present (AFAICT).
[/code]

I have only tested with manjaro, and our mx-osprober works closely with mx-grub.

That problem is currently being worked on upstream: https://bugs.debian.org/cgi-bin/bugrepo ... bug=820838

Well, early-initrd's are already officially supported by grub2.04, but only debian seems not to have it adjusted, accordingly, yet.
It works with MX-grub/os-prober already.

[Stevo]

The virtualbox in the repo is fully open source, not proprietary, so is it just that its modules don't get signed anyway after building? What about other open DKMS drivers, such as ZFS?

[Head_on_a_Stick]

The virtualbox in the repo is fully open source, not proprietary, so is it just that its modules don't get signed anyway after building?

Yes, that is correct.

What about other open DKMS drivers, such as ZFS?

No, ZFS won't work in Debian with Secure Boot enabled. I tried it already

the os-prober used by MX was adjusted to allow the generation of valid Manjaro Grub-menu-entries

I have some good news and some bad news about that...

On the up side my suggested changes do not break MX's os-prober modifications and the system will still generate bootable entries for Arch-based systems with the CPU µcode package installed.

The bad news is that MX's os-prober modifications *do not* create a boot entry that actually loads the CPU µcode and so any Arch-based systems booted from MX's GRUB will not be loading the µcode.

A correct Arch-based boot entry would look like this (example shows an AMD system):

Code: Select all

echo 'Loading initial ramdisk'
initrd /boot/amd-ucode.img /boot/initramfs-linux.img

https://wiki.archlinux.org/index.php/Microcode#GRUB

But MX generates an entry like this:

Code: Select all

echo 'Loading initial ramdisk'
initrd /boot/initramfs-linux.img

^ That is wrong.

[fehlix]

But MX generates an entry like this:

Code: Select all

echo 'Loading initial ramdisk'
initrd /boot/initramfs-linux.img

^ That is wrong.

Yes, with having installed buster's grub-common, it will have overwritten

Code: Select all

/etc/grub.d/30_os-prober

So you might adjust your receipt by adding this post-install procedure, after having installed
buster secure-boot enabled grub's:

Code: Select all

cp /usr/local/share/live-files/files/etc/grub.d/30_os-prober /etc/grub.d/30_os-prober

And in case os-prober have been also "downgraded" to buster's version one would need restore this file:

Code: Select all

/usr/lib/linux-boot-probes/mounted/40grub2

from MX provided os-prober version ( 1.77mx19+1)
which shall then generate proper grub entry for arch special early-initrd handling.
Or alternatively, as a pre-procedure, backup-both files and restore after secure-boot installation.
HTH

[Head_on_a_Stick]

with having installed buster's grub-common, it will have overwritten

No, you misunderstand.

I have tested MX-19's os-prober by installing both MX-19 and Arch on the same (virtual) disk, the quoted incorrect menuentry was generated by the stock MX-19 system. I had not made any changes to that system at all.

[fehlix]

with having installed buster's grub-common, it will have overwritten

No, you misunderstand.

I have tested MX-19's os-prober by installing both MX-19 and Arch on the same (virtual) disk, the quoted incorrect menuentry was generated by the stock MX-19 system. I had not made any changes to that system at all.

Oh, that would be another thread . I have tested with Manjaro. Will check what arch does differently.

[asqwerth]

I don't know if this is relevant, but Manjaro itself has modified its grub package, so that it's not using the same grub that Arch does.

https://forum.manjaro.org/t/call-for-te ... lla/100190

Users who don't want Manjaro's grub package and prefer the "normal" one that Arch uses, have to replace it with grub-vanilla package.

[fehlix]

I don't know if this is relevant, but Manjaro itself has modified its grub package, so that it's not using the same grub that Arch does.

https://forum.manjaro.org/t/call-for-te ... lla/100190

Users who don't want Manjaro's grub package and prefer the "normal" one that Arch uses, have to replace it with grub-vanilla package.

Thanks. That's probably easier to test using manjaro with vanilla grub.