MX Linux Forum

@MultipleX
I would suggest you wait for the RC. It should be coming soon.

MultipleX wrote: Mon Sep 27, 2021 8:14 am Coming back to my original issue, one thing that I realised when running through the instructions contained in the links from #2 and #3 is that at no point did mukutil come up and ask me to enrol the Debian key in the BIOS so it might this have been what was missing? The instructions in the link above show you how to enrol one's own generated key, but where do I get the Debian public key from?

B/c Debians signing key is signed by a Microsoft key, where MS's public counterpart is available already within the UEFI firmware, hence no key-enrolement using mokutil are required.

richb wrote: Mon Sep 27, 2021 8:33 am @MultipleX
I would suggest you wait for the RC. It should be coming soon.

No problem. Happy to wait. Seems reasonable.

fehlix wrote: Mon Sep 27, 2021 8:38 am

MultipleX wrote: Mon Sep 27, 2021 8:14 am Coming back to my original issue, one thing that I realised when running through the instructions contained in the links from #2 and #3 is that at no point did mukutil come up and ask me to enrol the Debian key in the BIOS so it might this have been what was missing? The instructions in the link above show you how to enrol one's own generated key, but where do I get the Debian public key from?

B/c Debians signing key is signed by a Microsoft key, where MS's public counterpart is available already within the UEFI firmware, hence no key-enrolement using mokutil are required.

Ah, that would explain it then. Thank you.

Wouldn't that presumably mean that any DKMS drivers (e.g. VirtualBox, Nvidia) would need to be signed with Microsoft's key as well?

MultipleX wrote: Tue Sep 28, 2021 4:39 am

richb wrote: Mon Sep 27, 2021 8:33 am @MultipleX
I would suggest you wait for the RC. It should be coming soon.

No problem. Happy to wait. Seems reasonable.

fehlix wrote: Mon Sep 27, 2021 8:38 am

MultipleX wrote: Mon Sep 27, 2021 8:14 am Coming back to my original issue, one thing that I realised when running through the instructions contained in the links from #2 and #3 is that at no point did mukutil come up and ask me to enrol the Debian key in the BIOS so it might this have been what was missing? The instructions in the link above show you how to enrol one's own generated key, but where do I get the Debian public key from?

B/c Debians signing key is signed by a Microsoft key, where MS's public counterpart is available already within the UEFI firmware, hence no key-enrolement using mokutil are required.

Ah, that would explain it then. Thank you.

Wouldn't that presumably mean that any DKMS drivers (e.g. VirtualBox, Nvidia) would need to be signed with Microsoft's key as well?

I think, one would generate one-time a local signing key, which would need to be put into UEFI firmware by using mokutil key-enrolement, and sign the driver with that key. I think, but I might be wrong, that's still the way Ubuntu and co. are doing it, but need to check where they are now with latest releases.

Meanwhile, these may be useful in general about what secure boot is and also what it's not :

https://wiki.debian.org/SecureBoot

https://linuxhint.com/secure-boot-linux/

@fehlix that's how they do it with the modules. upon reboot, there is a prompt to accept the self-signed modules, IIRC. this happens when you do broadcom drivers on ubuntu.

I discovered kvm and QEMU today as an alternative to VirtualBox. It seems kvm already has hooks into the kernel so doesn't need dkms drivers and Debian provides signed drivers. I tried it on Mint and it seems to works fine. The Debian VM that was created using virt-manager also seemed to run without any problems in a secure boot environment. I suspect the drivers are bundled with the package supplied on the Ubuntu repository as I didn't have to install anything else than the usually recommended packages. I have yet to test an OS that is not secure boot aware.

I have decided to go with a dual-boot setup with Mint20.2 and MX-21 when the release candidate becomes available. In the meantime the MX partition has MX-19 installed on it. MX feels a little snappier than Mint and I hope to move over to it in due course.

I had to turn off Secure Boot on my Dell 7380 laptop to get my system to boot, couldn't get it to work any other way.

MultipleX wrote: Sat Sep 25, 2021 3:59 pm With Microsoft using its clout to force the issue in its next OS release, this is going to prove interesting. Will we have to go into BIOS and enable/disable SecureBoot every time we want to switch between Linux and Windows?

As if I'm going to be caught dead using Windows 11... 10 is already bad enough. And I say all this as a big former Windows fan too.

The good news though is that you won't need to run Windows 11 any time soon for compatibility reasons. What runs on Windows 11 will run on 10 as well for the foreseeable future.

MultipleX wrote: Sat Sep 25, 2021 3:59 pm How long will it be before disabling SecureBoot is no longer supported in BIOS?

Pretty sure that won't happen. There's no reason to take it out.

richb wrote: Mon Sep 27, 2021 8:33 am @MultipleX
I would suggest you wait for the RC. It should be coming soon.

WHEN

richb wrote: Mon Sep 27, 2021 8:33 am @MultipleX
I would suggest you wait for the RC. It should be coming soon.

WHEN

When it's ready