Enabling Secure Boot in MX Linux

[Head_on_a_Stick]

Now that Debian buster fully supports Secure Boot it is possible to also enable MX-19. Unfortunately Secure Boot does not allow for custom kernel modules so this guide should not be followed if the proprietary NVIDIA, Broadcom or VirtualBox drivers are needed, it also removes the ability to load ndiswrapper-derived drivers.

To enable Secure Boot first remove the various DKMS-related packages, as explained above:

Code: Select all

sudo apt purge dkms broadcom-sta-dkms ndiswrapper{,-dkms,-utils-1.9} virtualbox-guest-{dkms,utils{,-modified-init},x11}

Now install the required Secure Boot packages:

Code: Select all

sudo apt install shim-signed grub-efi-amd64-{signed,bin=2.02+dfsg1-20} grub{,2}-common=2.02+dfsg1-20 linux-image-amd64

You will be asked if you want to replace the maintainer script at /etc/grub.d/10_linux, say "no" (which is the default) to keep MX's modified GRUB script.

Also copy the old 30_os-prober script back if dual-booting with Manjaro:

Code: Select all

sudo cp /usr/local/share/live-files/files/etc/grub.d/30_os-prober /etc/grub.d/30_os-prober

And finally pin the grub{,2}-common & grub-efi-amd64-bin packages so that the Debian versions are preferred over the MX versions:

Code: Select all

sudo tee /etc/apt/preferences.d/secure-boot <<END
Package: grub-common grub2-common grub-efi-amd64-bin
Pin: release o=Debian
Pin-Priority: 1001
END

Secure Boot should now work in MX.

EDIT: corrected purge command and simplified procedure.
EDIT2: added fehlix's fix.

[jocester]

That doesn't work with unsigned kernels, does it?

[Head_on_a_Stick]

No. But the signed kernels work just fine with the rest of the MX ecosystem, not sure why the developers use the unsigned versions.

[fehlix]

Secure Boot should now work in MX.

Have you tried it?

[JayM]

Wouldn't this break Broadcom wifi, NDIS wrapper (if someone's using it) and VirtualBox?

[JayM]

Wouldn't this break Broadcom wifi, NDIS wrapper (if someone's using it) and VirtualBox guest additions? The last two are probably expendable in most installed systems but I'm a bit hinky about removing Broadcom dkms. One could simply disable secure boot in their UEFI settings instead.

[Head_on_a_Stick]

Have you tried it?

Not at the time of posting

I have now though:

Code: Select all

empty@mx:~ $ grep PRETTY /etc/lsb-release                                                          
PRETTY_NAME="MX 19.2 patito feo"
empty@mx:~ $ mokutil --sb-state
SecureBoot enabled
empty@mx:~ $

Wouldn't this break Broadcom wifi, NDIS wrapper (if someone's using it) and VirtualBox guest additions?

Yes. I have explained that in the OP, sorry if it isn't very clear.

One could simply disable secure boot in their UEFI settings instead.

Some machines do not have that option and Microsoft is trying to make Secure Boot mandatory.

[fehlix]

Have you tried it?

Not at the time of posting

I meant do you get a Grub-menu to boot into the MX Linux. I got a nice Grub-shell.
So something with the signed-efi. Perhaps an embedded early-grub is missing or it does not find the grub.cfg helper :
like this one:

Code: Select all

configfile /efi/mx/grub.cfg

Doing early-grub manually gives me the Grub-menu.

[fehlix]

Seems they have hardcoded the "early" prefix to "/EFI/debian". Despite the grub-install process creates an /EFI/mx.
So one would need to copy manually the "early" grub.cfg from /EFI/mx/grub.cfg to EFI/debian/grub.cfg.

[Head_on_a_Stick]

Thanks fehlix, I missed that. I've added the step to the OP.

That problem was actually reported by p.H over at forums.debian.net but it hasn't been fixed yet: https://bugs.debian.org/cgi-bin/bugrepo ... bug=925309