Page 2 of 4
Re: Will MX-25 come with secureboot?
Posted: Tue May 13, 2025 10:49 am
by nakul
Hi @dolphin_oracle ,
Can you please make a tutorial on how to enable secureboot in MX Linux
Re: Will MX-25 come with secureboot?
Posted: Tue May 13, 2025 2:15 pm
by FullScale4Me
baldyeti wrote: Sat May 10, 2025 2:29 pm
according to the grub-install man page:
Code: Select all
--bootloader-id=ID
the ID of bootloader. This option is only available on EFI and Macs.
so: a single option, introduced by two dashes
@FullScale4Me perhaps an erratum for your nice HowTo note
Thanks for finding the needed edit! Corrections made, both files were updated. Revision: May 13, 2025.
MX-23 Secure Boot How-to
Re: Will MX-25 come with secureboot?
Posted: Sat May 24, 2025 4:34 pm
by dolphin_oracle
question:
Code: Select all
2 Install Debian's signed efi-GRUB loader into ESP (EFI System Partition) with bootloader id 'MX23'
sudo grub-install -–bootloader-id=MX23
which replaces the existing unsigned efi-GRUB loader with the Debian’s signed efi-loader.
3 Install the signed efi-GRUB loader with Debian’s default bootloader ID 'debian'.
sudo grub-install -–bootloader-id=debian --no-nvram
4 Install the signed efi-GRUB loader with the removable media option for fallback.
sudo grub-install -–bootloader-id=mx23 –-force-extra-removable --recheck
do you need 2 and 4? and can the --force-extra-removable be combined with set 2?
Re: Will MX-25 come with secureboot?
Posted: Sat May 24, 2025 5:20 pm
by fehlix
dolphin_oracle wrote: Sat May 24, 2025 4:34 pm
question:
Code: Select all
2 Install Debian's signed efi-GRUB loader into ESP (EFI System Partition) with bootloader id 'MX23'
sudo grub-install -–bootloader-id=MX23
which replaces the existing unsigned efi-GRUB loader with the Debian’s signed efi-loader.
3 Install the signed efi-GRUB loader with Debian’s default bootloader ID 'debian'.
sudo grub-install -–bootloader-id=debian --no-nvram
4 Install the signed efi-GRUB loader with the removable media option for fallback.
sudo grub-install -–bootloader-id=mx23 –-force-extra-removable --recheck
do you need 2 and 4? and can the --force-extra-removable be combined with set 2?
I guess the pdf was combined out of a couple of posts:
* 4 is not needed, so –-force-extra-removable --recheck can go into 2
* 3 could be simpliefied by just cp /EFI/MX23 to /EF/debian, but it seems simpler just to run the command with --no-nvram
* 3 is probaly needed b/c "/EFI/debian" location is compiled into / "harcoded" within debian's signed efi-loader (grubx64.efi)
Without havinj /EFI/debian I found it would not always fallback to the currently loaded from directory (/EFI(MX23).
and in case of a shared ESP with a Debian install, it would never boot a MX-23 signed install.
Re: Will MX-25 come with secureboot?
Posted: Sat May 24, 2025 8:12 pm
by FullScale4Me
fehlix wrote: Sat May 24, 2025 5:20 pm
dolphin_oracle wrote: Sat May 24, 2025 4:34 pm
question:
Code: Select all
2 Install Debian's signed efi-GRUB loader into ESP (EFI System Partition) with bootloader id 'MX23'
sudo grub-install -–bootloader-id=MX23
which replaces the existing unsigned efi-GRUB loader with the Debian’s signed efi-loader.
3 Install the signed efi-GRUB loader with Debian’s default bootloader ID 'debian'.
sudo grub-install -–bootloader-id=debian --no-nvram
4 Install the signed efi-GRUB loader with the removable media option for fallback.
sudo grub-install -–bootloader-id=mx23 –-force-extra-removable --recheck
do you need 2 and 4? and can the --force-extra-removable be combined with set 2?
I guess the pdf was combined out of a couple of posts:
* 4 is not needed, so –-force-extra-removable --recheck can go into 2
* 3 could be simpliefied by just cp /EFI/MX23 to /EF/debian, but it seems simpler just to run the command with --no-nvram
* 3 is probaly needed b/c "/EFI/debian" location is compiled into / "harcoded" within debian's signed efi-loader (grubx64.efi)
Without havinj /EFI/debian I found it would not always fallback to the currently loaded from directory (/EFI(MX23).
and in case of a shared ESP with a Debian install, it would never boot a MX-23 signed install.
Thank you both for the valued feedback!
PDF updated and uploaded - ‘
Secure Boot: How to‘ updated May 24, 2025
Re: Will MX-25 come with secureboot?
Posted: Sat May 24, 2025 8:17 pm
by Jerry3904
Nice work, Mike.
Re: Will MX-25 come with secureboot?
Posted: Sat May 24, 2025 11:57 pm
by dolphin_oracle
ok installed the required packages
and did grub install commands
Code: Select all
sudo apt install grub-efi-amd64-signed mokutil shim-signed
sudo grub-install --bootloader-id=MX23 --force-extra-removable --recheck
sudo grub-install bootloader-id=debian --no-nvram
and I am running with secure boot
Code: Select all
sudo mokutil --sb-state
[sudo] password for dolphin:
SecureBoot enabled
still leaves dkms modules as a problem. during dkms build broadcom-sta-dkms and virtualbox-dkms both report signing of modules, but neither will load with modprobe, complaining of rejected key. boot up is not prevented, the modules just don't load.
Re: Will MX-25 come with secureboot?
Posted: Sun May 25, 2025 6:15 am
by fehlix
dolphin_oracle wrote: Sat May 24, 2025 11:57 pm
ok installed the required packages
and did grub install commands
Code: Select all
sudo apt install grub-efi-amd64-signed mokutil shim-signed
sudo grub-install --bootloader-id=MX23 --force-extra-removable --recheck
sudo grub-install bootloader-id=debian --no-nvram
and I am running with secure boot
Code: Select all
sudo mokutil --sb-state
[sudo] password for dolphin:
SecureBoot enabled
still leaves dkms modules as a problem. during dkms build broadcom-sta-dkms and virtualbox-dkms both report signing of modules, but neither will load with modprobe, complaining of rejected key. boot up is not prevented, the modules just don't load.
Good, at least it shows secure boot (sb) does it's job and protects loadig unsigned modules.
The user has now choices:
1/ Remove "unsigned" kernel modules if they are not needed for the system in use
They modules which are signed by mok during dkms build are still seen as "unsigned" b/c mok is not known yet to sb.
2/ "Break" sb-validation chain at shim with
and reboot to get mokmanager loaded and complete the processes.
The unsigned or signed-by-mok kernel modules will be loaded, which otherwise would be blocked by sb.
and at boot sb might "inform"/"warn" with a nagging message about this.
or
3/ "Enroll" ("load") the signing MOK (Machine Owner Key) certificate into the MOK-db within NVRAM
* Start the enroll process with:
Code: Select all
sudo mokutil --import /var/lib/dkms/mok.pub
* Reboot the system to trigger loading mokmanager and complete "Enroll MOK"
* After reboot verify the mok has been loaded into the MOK-db with
Windows will boot with full secure boot as it does not use shim, and Linux will be allowed to load signed-by-mok kernel modules.
Re: Will MX-25 come with secureboot?
Posted: Sun May 25, 2025 7:50 am
by dolphin_oracle
Code: Select all
sudo mokutil --list-enrolled
[sudo] password for dolphin:
[key 1]
Owner: 605dab50-e046-4300-abb6-3dd810dd8b23
SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cb
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Debian Secure Boot CA
[key 2]
Owner: 605dab50-e046-4300-abb6-3dd810dd8b23
SHA1 Fingerprint: 0b:64:8b:df:49:ed:2b:9b:df:3d:0c:b7:55:dd:9d:23:47:03:76:3a
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
49:fc:ef:df:e6:f5:e2:46:d1:4b:d9:1a:d6:ce:2d:4b:08:0a:cd:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=DKMS module signing key
Validity
3 is what I went with, as wl is loaded for some reason for me, I think for bluetooth, and I use virtualbox.
Code: Select all
sudo mokutil --import /var/lib/dkms/mok.pub
Note I was prompted for a password (input password: ) which you need to give on the UEFI reboot to enroll the mok.pub key.
enrolling the mok key is a little clunky, but it does work. thank you!
Re: Will MX-25 come with secureboot?
Posted: Sun May 25, 2025 8:58 pm
by dolphin_oracle
minor corollary to the procedure.
you can do a fresh install on a secure boot enabled system, as long as you do the install AFTER installing the grub-efi-amd64-signed mokutil shim-signed packages (say, while running live). then use a chroot (chroot-rescue scan is easy) to do install the debian efi and do the mok key stuff. on first reboot, you confirm the mok key, and then continue on to boot the SB system, with the dkms modules intact and loadable.
after an install, including grub install, in the chroot (however you get into one)
Code: Select all
sudo grub-install bootloader-id=debian --no-nvram
sudo mokutil --import /var/lib/dkms/mok.pub
sudo reboot