Will MX-25 come with secureboot?

[nakul]

Hi @dolphin_oracle ,
Can you please make a tutorial on how to enable secureboot in MX Linux

[FullScale4Me]

according to the grub-install man page:

Code: Select all

       --bootloader-id=ID
              the ID of bootloader. This option is only available on EFI and Macs.

so: a single option, introduced by two dashes

@FullScale4Me perhaps an erratum for your nice HowTo note

Thanks for finding the needed edit! Corrections made, both files were updated. Revision: May 13, 2025.

MX-23 Secure Boot How-to

[dolphin_oracle]

question:

Code: Select all

2 Install Debian's signed efi-GRUB loader into ESP (EFI System Partition) with bootloader id 'MX23'
sudo grub-install -–bootloader-id=MX23
which replaces the existing unsigned efi-GRUB loader with the Debian’s signed efi-loader.
3 Install the signed efi-GRUB loader with Debian’s default bootloader ID 'debian'.
sudo grub-install -–bootloader-id=debian --no-nvram
4 Install the signed efi-GRUB loader with the removable media option for fallback.
sudo grub-install -–bootloader-id=mx23 –-force-extra-removable --recheck

do you need 2 and 4? and can the --force-extra-removable be combined with set 2?

[fehlix]

question:

Code: Select all

2 Install Debian's signed efi-GRUB loader into ESP (EFI System Partition) with bootloader id 'MX23'
sudo grub-install -–bootloader-id=MX23
which replaces the existing unsigned efi-GRUB loader with the Debian’s signed efi-loader.
3 Install the signed efi-GRUB loader with Debian’s default bootloader ID 'debian'.
sudo grub-install -–bootloader-id=debian --no-nvram
4 Install the signed efi-GRUB loader with the removable media option for fallback.
sudo grub-install -–bootloader-id=mx23 –-force-extra-removable --recheck

do you need 2 and 4? and can the --force-extra-removable be combined with set 2?

I guess the pdf was combined out of a couple of posts:
* 4 is not needed, so –-force-extra-removable --recheck can go into 2
* 3 could be simpliefied by just cp /EFI/MX23 to /EF/debian, but it seems simpler just to run the command with --no-nvram
* 3 is probaly needed b/c "/EFI/debian" location is compiled into / "harcoded" within debian's signed efi-loader (grubx64.efi)
Without havinj /EFI/debian I found it would not always fallback to the currently loaded from directory (/EFI(MX23).
and in case of a shared ESP with a Debian install, it would never boot a MX-23 signed install.

[FullScale4Me]

question:

Code: Select all

2 Install Debian's signed efi-GRUB loader into ESP (EFI System Partition) with bootloader id 'MX23'
sudo grub-install -–bootloader-id=MX23
which replaces the existing unsigned efi-GRUB loader with the Debian’s signed efi-loader.
3 Install the signed efi-GRUB loader with Debian’s default bootloader ID 'debian'.
sudo grub-install -–bootloader-id=debian --no-nvram
4 Install the signed efi-GRUB loader with the removable media option for fallback.
sudo grub-install -–bootloader-id=mx23 –-force-extra-removable --recheck

do you need 2 and 4? and can the --force-extra-removable be combined with set 2?

I guess the pdf was combined out of a couple of posts:
* 4 is not needed, so –-force-extra-removable --recheck can go into 2
* 3 could be simpliefied by just cp /EFI/MX23 to /EF/debian, but it seems simpler just to run the command with --no-nvram
* 3 is probaly needed b/c "/EFI/debian" location is compiled into / "harcoded" within debian's signed efi-loader (grubx64.efi)
Without havinj /EFI/debian I found it would not always fallback to the currently loaded from directory (/EFI(MX23).
and in case of a shared ESP with a Debian install, it would never boot a MX-23 signed install.

Thank you both for the valued feedback!

PDF updated and uploaded - ‘Secure Boot: How to‘ updated May 24, 2025

[Jerry3904]

Nice work, Mike.

[dolphin_oracle]

ok installed the required packages

and did grub install commands

Code: Select all

sudo apt install grub-efi-amd64-signed mokutil shim-signed
sudo grub-install --bootloader-id=MX23 --force-extra-removable --recheck
sudo grub-install bootloader-id=debian --no-nvram

and I am running with secure boot

Code: Select all

sudo mokutil --sb-state 
[sudo] password for dolphin:     
SecureBoot enabled

still leaves dkms modules as a problem. during dkms build broadcom-sta-dkms and virtualbox-dkms both report signing of modules, but neither will load with modprobe, complaining of rejected key. boot up is not prevented, the modules just don't load.

[fehlix]

ok installed the required packages

and did grub install commands

Code: Select all

sudo apt install grub-efi-amd64-signed mokutil shim-signed
sudo grub-install --bootloader-id=MX23 --force-extra-removable --recheck
sudo grub-install bootloader-id=debian --no-nvram

and I am running with secure boot

Code: Select all

sudo mokutil --sb-state 
[sudo] password for dolphin:     
SecureBoot enabled

still leaves dkms modules as a problem. during dkms build broadcom-sta-dkms and virtualbox-dkms both report signing of modules, but neither will load with modprobe, complaining of rejected key. boot up is not prevented, the modules just don't load.

Good, at least it shows secure boot (sb) does it's job and protects loadig unsigned modules.
The user has now choices:

1/ Remove "unsigned" kernel modules if they are not needed for the system in use
They modules which are signed by mok during dkms build are still seen as "unsigned" b/c mok is not known yet to sb.

2/ "Break" sb-validation chain at shim with

Code: Select all

sudo mokutil --disable-validation

and reboot to get mokmanager loaded and complete the processes.
The unsigned or signed-by-mok kernel modules will be loaded, which otherwise would be blocked by sb.
and at boot sb might "inform"/"warn" with a nagging message about this.

or

3/ "Enroll" ("load") the signing MOK (Machine Owner Key) certificate into the MOK-db within NVRAM
* Start the enroll process with:

Code: Select all

sudo mokutil --import /var/lib/dkms/mok.pub

* Reboot the system to trigger loading mokmanager and complete "Enroll MOK"
* After reboot verify the mok has been loaded into the MOK-db with

Code: Select all

sudo mokutil --list-enrolled

Windows will boot with full secure boot as it does not use shim, and Linux will be allowed to load signed-by-mok kernel modules.

[dolphin_oracle]

Code: Select all

sudo mokutil --list-enrolled
[sudo] password for dolphin:     
[key 1]
Owner: 605dab50-e046-4300-abb6-3dd810dd8b23
SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Debian Secure Boot CA



[key 2]
Owner: 605dab50-e046-4300-abb6-3dd810dd8b23
SHA1 Fingerprint: 0b:64:8b:df:49:ed:2b:9b:df:3d:0c:b7:55:dd:9d:23:47:03:76:3a
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            49:fc:ef:df:e6:f5:e2:46:d1:4b:d9:1a:d6:ce:2d:4b:08:0a:cd:01
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=DKMS module signing key
        Validity

3 is what I went with, as wl is loaded for some reason for me, I think for bluetooth, and I use virtualbox.

Code: Select all

sudo mokutil --import /var/lib/dkms/mok.pub

Note I was prompted for a password (input password: ) which you need to give on the UEFI reboot to enroll the mok.pub key.

enrolling the mok key is a little clunky, but it does work. thank you!

[dolphin_oracle]

minor corollary to the procedure.

you can do a fresh install on a secure boot enabled system, as long as you do the install AFTER installing the grub-efi-amd64-signed mokutil shim-signed packages (say, while running live). then use a chroot (chroot-rescue scan is easy) to do install the debian efi and do the mok key stuff. on first reboot, you confirm the mok key, and then continue on to boot the SB system, with the dkms modules intact and loadable.

after an install, including grub install, in the chroot (however you get into one)

Code: Select all

sudo grub-install bootloader-id=debian --no-nvram
sudo mokutil --import /var/lib/dkms/mok.pub
sudo reboot