MX Linux Forum

Now that Debian buster fully supports Secure Boot it is possible to also enable MX-19. Unfortunately Secure Boot does not allow for custom kernel modules so this guide should not be followed if the proprietary NVIDIA, Broadcom or VirtualBox drivers are needed, it also removes the ability to load ndiswrapper-derived drivers.

To enable Secure Boot first remove the various DKMS-related packages, as explained above: Now install the required Secure Boot packages: You will be asked if you want to replace the maintainer script at /etc/grub.d/10_linux, say "no" (which is the default) to keep MX's modified GRUB script.

Also copy the old 30_os-prober script back if dual-booting with Manjaro: And finally pin the grub{,2}-common & grub-efi-amd64-bin packages so that the Debian versions are preferred over the MX versions: Secure Boot should now work in MX.

EDIT: corrected purge command and simplified procedure.
EDIT2: added fehlix's fix.

That doesn't work with unsigned kernels, does it?

No. But the signed kernels work just fine with the rest of the MX ecosystem, not sure why the developers use the unsigned versions.

Head_on_a_Stick wrote: Fri Jun 05, 2020 5:34 am Secure Boot should now work in MX.

Have you tried it?

Wouldn't this break Broadcom wifi, NDIS wrapper (if someone's using it) and VirtualBox?

Wouldn't this break Broadcom wifi, NDIS wrapper (if someone's using it) and VirtualBox guest additions? The last two are probably expendable in most installed systems but I'm a bit hinky about removing Broadcom dkms. One could simply disable secure boot in their UEFI settings instead.

fehlix wrote: Fri Jun 05, 2020 8:12 amHave you tried it?

Not at the time of posting

I have now though:

JayM wrote: Fri Jun 05, 2020 9:10 amWouldn't this break Broadcom wifi, NDIS wrapper (if someone's using it) and VirtualBox guest additions?

Yes. I have explained that in the OP, sorry if it isn't very clear.

JayM wrote: Fri Jun 05, 2020 9:10 amOne could simply disable secure boot in their UEFI settings instead.

Some machines do not have that option and Microsoft is trying to make Secure Boot mandatory.

Head_on_a_Stick wrote: Fri Jun 05, 2020 9:38 am

fehlix wrote: Fri Jun 05, 2020 8:12 amHave you tried it?

Not at the time of posting

I meant do you get a Grub-menu to boot into the MX Linux. I got a nice Grub-shell.
So something with the signed-efi. Perhaps an embedded early-grub is missing or it does not find the grub.cfg helper :
like this one: Doing early-grub manually gives me the Grub-menu.

Seems they have hardcoded the "early" prefix to "/EFI/debian". Despite the grub-install process creates an /EFI/mx.
So one would need to copy manually the "early" grub.cfg from /EFI/mx/grub.cfg to EFI/debian/grub.cfg.

Thanks fehlix, I missed that. I've added the step to the OP.

That problem was actually reported by p.H over at forums.debian.net but it hasn't been fixed yet: https://bugs.debian.org/cgi-bin/bugrepo ... bug=925309