MX Linux Forum

Support for MX and antiX Linux distros
https://www.forum.mxlinux.org/

Will MX-25 come with secureboot?

https://www.forum.mxlinux.org/viewtopic.php?t=84634

Page 1 of 1

Will MX-25 come with secureboot?

Posted: Tue May 06, 2025 12:30 pm
by nakul
HI MX Team,
will you provide secure boot option in MX-25?

Re: Will MX-25 come with secureboot?

Posted: Tue May 06, 2025 2:57 pm
by fehlix
The option to LiveBoot and install with secureboot enabled is already prepared and possible with MX-23.
Some manually steps are involved in order to also successfully secureboot the installed system.
There is somewhere a write up within this forum how to achieve this.
But some restriction are involved, like dkms-wifi driver and liquorix kernels provided by MX,
are not signed. In addtion some tools provided by MX involved with boot loader or UEFI needs to
be carefully used, to avoid breaking secureboot boot loader.
So in case you do not need unsigned driver or kernels, you will probably also be able to install MX-25 with enabled secureboot.
Also there are no restrictions for you to sign the unsigned kernels or driver by yourself so they can be
used with secureboot enabled.

Re: Will MX-25 come with secureboot?

Posted: Tue May 06, 2025 3:14 pm
by FullScale4Me
This has been a discussion here about how to turn it on from time to time (that I have seen in MX 21 and MX 23).

So the TL;DR answer is: Secure Boot has been a user configurable option for 4+ years.

MX-23 Secure Boot How-to‘ update on April 24, 2025 to include MX 23. PDF 82 Kb. This PDF is a conversion of an MX 21 post in this forum by felix, one of the MX developers.

Re: Will MX-25 come with secureboot?

Posted: Wed May 07, 2025 2:44 am
by operadude
@fehlix & @FullScale4Me :number1:

Thanks for the posts and the resulting "How-To" :exclamation:

Greatly appreciate the 1-page short-form.

As an old CS professor was fond of saying:

"Crisp, Clean & Concise"

:cool:

Re: Will MX-25 come with secureboot?

Posted: Wed May 07, 2025 3:51 am
by FullScale4Me
The 3 page version lurks behind :-)

https://fullscale4me.com/MX-23-Secure-Boot.pdf

Re: Will MX-25 come with secureboot?

Posted: Thu May 08, 2025 4:45 am
by operadude
'Scraped'...and...

"Loving it" :exclamation:

:thumbsup:

Re: Will MX-25 come with secureboot?

Posted: Sat May 10, 2025 2:03 pm
by nakul
FullScale4Me wrote: Tue May 06, 2025 3:14 pm This has been a discussion here about how to turn it on from time to time (that I have seen in MX 21 and MX 23).

So the TL;DR answer is: Secure Boot has been a user configurable option for 4+ years.

MX-23 Secure Boot How-to‘ update on April 24, 2025 to include MX 23. PDF 82 Kb. This PDF is a conversion of an MX 21 post in this forum by felix, one of the MX developers.
This is coming when i try to install it.


Image

Re: Will MX-25 come with secureboot?

Posted: Sat May 10, 2025 2:29 pm
by baldyeti
according to the grub-install man page:

Code: Select all

       --bootloader-id=ID
              the ID of bootloader. This option is only available on EFI and Macs.
so: a single option, introduced by two dashes

@FullScale4Me perhaps an erratum for your nice HowTo note

Re: Will MX-25 come with secureboot?

Posted: Sat May 10, 2025 5:06 pm
by FullScale4Me
nakul wrote: Sat May 10, 2025 2:03 pm This is coming when i try to install it.
Image
That screen is telling you where to read for your solution.

Your peril is why I shy away from command line recommendations in my How-To documents (target audience - beginners & up). Also, this experience is why none were included in this doc, as Grub commands are both numerous and complex.

Re: Will MX-25 come with secureboot?

Posted: Sat May 10, 2025 5:09 pm
by FullScale4Me
baldyeti wrote: Sat May 10, 2025 2:29 pm according to the grub-install man page:

Code: Select all

       --bootloader-id=ID
              the ID of bootloader. This option is only available on EFI and Macs.
so: a single option, introduced by two dashes

@FullScale4Me perhaps an erratum for your nice HowTo note
Thanks for that. I'll add this to my notes for future inclusion.

Re: Will MX-25 come with secureboot?

Posted: Tue May 13, 2025 10:49 am
by nakul
Hi @dolphin_oracle ,
Can you please make a tutorial on how to enable secureboot in MX Linux

Re: Will MX-25 come with secureboot?

Posted: Tue May 13, 2025 2:15 pm
by FullScale4Me
baldyeti wrote: Sat May 10, 2025 2:29 pm according to the grub-install man page:

Code: Select all

       --bootloader-id=ID
              the ID of bootloader. This option is only available on EFI and Macs.
so: a single option, introduced by two dashes

@FullScale4Me perhaps an erratum for your nice HowTo note
Thanks for finding the needed edit! Corrections made, both files were updated. Revision: May 13, 2025.

MX-23 Secure Boot How-to

Re: Will MX-25 come with secureboot?

Posted: Sat May 24, 2025 4:34 pm
by dolphin_oracle
question:

Code: Select all

2 Install Debian's signed efi-GRUB loader into ESP (EFI System Partition) with bootloader id 'MX23'
sudo grub-install -–bootloader-id=MX23
which replaces the existing unsigned efi-GRUB loader with the Debian’s signed efi-loader.
3 Install the signed efi-GRUB loader with Debian’s default bootloader ID 'debian'.
sudo grub-install -–bootloader-id=debian --no-nvram
4 Install the signed efi-GRUB loader with the removable media option for fallback.
sudo grub-install -–bootloader-id=mx23 –-force-extra-removable --recheck
do you need 2 and 4? and can the --force-extra-removable be combined with set 2?

Re: Will MX-25 come with secureboot?

Posted: Sat May 24, 2025 5:20 pm
by fehlix
dolphin_oracle wrote: Sat May 24, 2025 4:34 pm question:

Code: Select all

2 Install Debian's signed efi-GRUB loader into ESP (EFI System Partition) with bootloader id 'MX23'
sudo grub-install -–bootloader-id=MX23
which replaces the existing unsigned efi-GRUB loader with the Debian’s signed efi-loader.
3 Install the signed efi-GRUB loader with Debian’s default bootloader ID 'debian'.
sudo grub-install -–bootloader-id=debian --no-nvram
4 Install the signed efi-GRUB loader with the removable media option for fallback.
sudo grub-install -–bootloader-id=mx23 –-force-extra-removable --recheck
do you need 2 and 4? and can the --force-extra-removable be combined with set 2?
I guess the pdf was combined out of a couple of posts:
* 4 is not needed, so –-force-extra-removable --recheck can go into 2
* 3 could be simpliefied by just cp /EFI/MX23 to /EF/debian, but it seems simpler just to run the command with --no-nvram
* 3 is probaly needed b/c "/EFI/debian" location is compiled into / "harcoded" within debian's signed efi-loader (grubx64.efi)
Without havinj /EFI/debian I found it would not always fallback to the currently loaded from directory (/EFI(MX23).
and in case of a shared ESP with a Debian install, it would never boot a MX-23 signed install.

Re: Will MX-25 come with secureboot?

Posted: Sat May 24, 2025 8:12 pm
by FullScale4Me
fehlix wrote: Sat May 24, 2025 5:20 pm
dolphin_oracle wrote: Sat May 24, 2025 4:34 pm question:

Code: Select all

2 Install Debian's signed efi-GRUB loader into ESP (EFI System Partition) with bootloader id 'MX23'
sudo grub-install -–bootloader-id=MX23
which replaces the existing unsigned efi-GRUB loader with the Debian’s signed efi-loader.
3 Install the signed efi-GRUB loader with Debian’s default bootloader ID 'debian'.
sudo grub-install -–bootloader-id=debian --no-nvram
4 Install the signed efi-GRUB loader with the removable media option for fallback.
sudo grub-install -–bootloader-id=mx23 –-force-extra-removable --recheck
do you need 2 and 4? and can the --force-extra-removable be combined with set 2?
I guess the pdf was combined out of a couple of posts:
* 4 is not needed, so –-force-extra-removable --recheck can go into 2
* 3 could be simpliefied by just cp /EFI/MX23 to /EF/debian, but it seems simpler just to run the command with --no-nvram
* 3 is probaly needed b/c "/EFI/debian" location is compiled into / "harcoded" within debian's signed efi-loader (grubx64.efi)
Without havinj /EFI/debian I found it would not always fallback to the currently loaded from directory (/EFI(MX23).
and in case of a shared ESP with a Debian install, it would never boot a MX-23 signed install.
Thank you both for the valued feedback!

PDF updated and uploaded - ‘Secure Boot: How to‘ updated May 24, 2025

Re: Will MX-25 come with secureboot?

Posted: Sat May 24, 2025 8:17 pm
by Jerry3904
Nice work, Mike.

Re: Will MX-25 come with secureboot?

Posted: Sat May 24, 2025 11:57 pm
by dolphin_oracle
ok installed the required packages

and did grub install commands

Code: Select all

sudo apt install grub-efi-amd64-signed mokutil shim-signed
sudo grub-install --bootloader-id=MX23 --force-extra-removable --recheck
sudo grub-install bootloader-id=debian --no-nvram
and I am running with secure boot

Code: Select all

sudo mokutil --sb-state 
[sudo] password for dolphin:     
SecureBoot enabled
still leaves dkms modules as a problem. during dkms build broadcom-sta-dkms and virtualbox-dkms both report signing of modules, but neither will load with modprobe, complaining of rejected key. boot up is not prevented, the modules just don't load.

Re: Will MX-25 come with secureboot?

Posted: Sun May 25, 2025 6:15 am
by fehlix
dolphin_oracle wrote: Sat May 24, 2025 11:57 pm ok installed the required packages

and did grub install commands

Code: Select all

sudo apt install grub-efi-amd64-signed mokutil shim-signed
sudo grub-install --bootloader-id=MX23 --force-extra-removable --recheck
sudo grub-install bootloader-id=debian --no-nvram
and I am running with secure boot

Code: Select all

sudo mokutil --sb-state 
[sudo] password for dolphin:     
SecureBoot enabled
still leaves dkms modules as a problem. during dkms build broadcom-sta-dkms and virtualbox-dkms both report signing of modules, but neither will load with modprobe, complaining of rejected key. boot up is not prevented, the modules just don't load.
Good, at least it shows secure boot (sb) does it's job and protects loadig unsigned modules.
The user has now choices:

1/ Remove "unsigned" kernel modules if they are not needed for the system in use
They modules which are signed by mok during dkms build are still seen as "unsigned" b/c mok is not known yet to sb.

2/ "Break" sb-validation chain at shim with

Code: Select all

sudo mokutil --disable-validation
and reboot to get mokmanager loaded and complete the processes.
The unsigned or signed-by-mok kernel modules will be loaded, which otherwise would be blocked by sb.
and at boot sb might "inform"/"warn" with a nagging message about this.

or

3/ "Enroll" ("load") the signing MOK (Machine Owner Key) certificate into the MOK-db within NVRAM
* Start the enroll process with:

Code: Select all

sudo mokutil --import /var/lib/dkms/mok.pub
* Reboot the system to trigger loading mokmanager and complete "Enroll MOK"
* After reboot verify the mok has been loaded into the MOK-db with

Code: Select all

sudo mokutil --list-enrolled
Windows will boot with full secure boot as it does not use shim, and Linux will be allowed to load signed-by-mok kernel modules.

Re: Will MX-25 come with secureboot?

Posted: Sun May 25, 2025 7:50 am
by dolphin_oracle

Code: Select all

sudo mokutil --list-enrolled
[sudo] password for dolphin:     
[key 1]
Owner: 605dab50-e046-4300-abb6-3dd810dd8b23
SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Debian Secure Boot CA



[key 2]
Owner: 605dab50-e046-4300-abb6-3dd810dd8b23
SHA1 Fingerprint: 0b:64:8b:df:49:ed:2b:9b:df:3d:0c:b7:55:dd:9d:23:47:03:76:3a
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            49:fc:ef:df:e6:f5:e2:46:d1:4b:d9:1a:d6:ce:2d:4b:08:0a:cd:01
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=DKMS module signing key
        Validity
3 is what I went with, as wl is loaded for some reason for me, I think for bluetooth, and I use virtualbox.

Code: Select all

sudo mokutil --import /var/lib/dkms/mok.pub
Note I was prompted for a password (input password: ) which you need to give on the UEFI reboot to enroll the mok.pub key.

enrolling the mok key is a little clunky, but it does work. thank you!

Re: Will MX-25 come with secureboot?

Posted: Sun May 25, 2025 8:58 pm
by dolphin_oracle
minor corollary to the procedure.

you can do a fresh install on a secure boot enabled system, as long as you do the install AFTER installing the grub-efi-amd64-signed mokutil shim-signed packages (say, while running live). then use a chroot (chroot-rescue scan is easy) to do install the debian efi and do the mok key stuff. on first reboot, you confirm the mok key, and then continue on to boot the SB system, with the dkms modules intact and loadable.

after an install, including grub install, in the chroot (however you get into one)

Code: Select all

sudo grub-install bootloader-id=debian --no-nvram
sudo mokutil --import /var/lib/dkms/mok.pub
sudo reboot

Re: Will MX-25 come with secureboot?

Posted: Mon May 26, 2025 4:19 pm
by m_pav
FullScale4Me wrote: Sat May 24, 2025 8:12 pm
PDF updated and uploaded - ‘Secure Boot: How to‘ updated May 24, 2025
What are your thoughts on adding a link to the pertinent location in this thread into the document? Sometimes, folk reading through step-throughs have difficulty following them because they may be overthinking stuff.

Re: Will MX-25 come with secureboot?

Posted: Mon May 26, 2025 4:41 pm
by FullScale4Me
I agree that an expansion is needed based on your comment and the one by dolphin earlier in this thread.

Luckily for all, I kept the longer form of this document, which had a more complete set of options beyond the single option presented in the linked document. I had taken the shortening because I thought it was the best path. I generally dislike these compact forms as they all too often leave out what you are referring to.

Yesterday I had an opportunity to devote a large block of time to resurrecting the longer one and then merging dolphin's posted method into it. After printing, I went through it and did a few hours of tweaking improvement scan of it - the resulting notes looks like a toddler scribbled all over it! This is very normal for me as I'm not a software screen tweaker kinda guy.

When I return from dinner out, I'll do the comment merge, add a graphic, and post a 'preliminary' watermarked version after doing a run-through test on bare metal of how I adapted dolphin's post to see if I made an actionable documentation of his post.

Re: Will MX-25 come with secureboot?

Posted: Mon May 26, 2025 5:57 pm
by fehlix
dolphin_oracle wrote: Sun May 25, 2025 8:58 pm minor corollary to the procedure.

you can do a fresh install on a secure boot enabled system, as long as you do the install AFTER installing the grub-efi-amd64-signed mokutil shim-signed packages (say, while running live). then use a chroot (chroot-rescue scan is easy) to do install the debian efi and do the mok key stuff. on first reboot, you confirm the mok key, and then continue on to boot the SB system, with the dkms modules intact and loadable.

after an install, including grub install, in the chroot (however you get into one)

Code: Select all

sudo grub-install bootloader-id=debian --no-nvram
sudo mokutil --import /var/lib/dkms/mok.pub
sudo reboot
The MX Installer "minstall" creates when booted with secure boot and after having installed grub-efi-amd64-signed and shim-signed
(mokutil is already installed by default - I guess since MX-21)
an entry in NVRAM like this one:

Code: Select all

Boot000B* MX Linux	HD(2,GPT,689045a6-184b-473e-8c0f-d962306d94a6,0x1000,0x100000)/File(\EFI\MX\grubx64.efi)
which points to the grubx64-efi loader. But even this is now debian's signed grub-efi loader, secure boot needs to go through shim,
b/c only shim-efi loader is signed by MS and trying to boot directly grubx64.efi will be rejected and fails.
Now why is it booting: B/c the grub-install performed by "MX Installer" will create a working fallback loader within the
fallback directory /EFI/BOOT where shim is now /EFI/BOOT/BOOTx64.efi and in addtion debian's signed
grubx64.efi also copied into /EFI/BOOT/grubx64.efi.
So when rebooting the first entry in the boot order labeled as "MX Linux" (/EFI/MX/grubx64.efi) is ignored b/c not working with SB.
And UEFI will take shim at the fallback loader position, shim will find and load grubx64.efi and this will look for /EFI/debian/grub.cfg.
which looks like this:
EFI/debian/grub.cfg

Code: Select all

search.fs_uuid eaa74c5f-435f-4791-9e6a-3236ce674524 root 
set prefix=($root)'/boot/grub'
configfile $prefix/grub.cfg
The installer would need adjusted, and instead of this exampled line:

Code: Select all

efibootmgr -qcL "MX Linux" -d /dev/vda -p 2 -l /EFI/MX/grubx64.efi
would need to check whether installing with sb enabled and having grub-efi-amd64-signed and shim-signed installed:

Code: Select all

efibootmgr -qcL "MX Linux" -d /dev/vda -p 2 -l /EFI/MX/shimx64.efi
Also the BOOTX64.CSV entry needs adjusted to carry the MX label like "MX Linux".
The one taken by grub-install look like this:
cat EFI/MX/BOOTX64.CSV

Code: Select all

shimx64.efi,debian,,This is the boot entry for debian
which can be done directly after installing shim-signed:

Code: Select all

echo "shimx64.efi,MX Linux,,This is the boot entry for MX Linux" | iconv -t UCS-2 | sudo tee /usr/lib/shim/BOOTX64.CSV
and grub-install would take the adjusted one. Or within the installer for the currently installation with:

Code: Select all

echo "shimx64.efi,MX Linux,,This is the boot entry for MX Linux" | iconv -t UCS-2 |  tee EFI/MX//BOOTX64.CSV
Why is this usefull? In case user wants bootentry "MX Linux" always on top, or dynamical generated
incase of NVRAM entries got lost. the fallback efiloader fbx64.efi copy in the fallback postion:

Code: Select all

cp /EFI/MX/fbx64.efi   /EFI/BOOT/fbx64.efi
will be trigged by shim and re-generation a missing "MX Linux" boot entry at 1st position is performed.
B/c when boot from "disk" the shim ar EFI/BOOT/BOOTX64.efi first looks for fbx64.efi and next for grubx64.efi
if fbx64.efi was found a missing boot entry is added and placed on first position within the efi-boot order list.
and the name "MX Linux" of the re-genrated entry is the one from BOOTX64.CSV.
It may help users to see/find the "MX Linux" entry with EFI boot options list, or in case of Windows re-occupies/takes over the first boot entry, it helps the re-gain that position again.
ttfn
++EDIT+++
Re this step performed:

Code: Select all

sudo grub-install bootloader-id=debian --no-nvram
could be simplified with just this: on the ESP (e.g within chroot "visited" just installed "MX Linux" or simply manually mounted ESP ):

Code: Select all

mkdir /EFI/debian
# or
rm /EFI/debian/*
# and
cp /EFI/MX/grub.cfg  /EFI/debian/grub.cfg
b/c only grub.cfg is needed, not the full installed debian directory.

Re: Will MX-25 come with secureboot?

Posted: Mon May 26, 2025 6:35 pm
by dolphin_oracle
good point. I didn't get to the fallback, I manually selected the entry with "shim64.efi" in it. interestingly, this shows up in nvram as a lowercase mx where by the usual grub-install shows up with a capital MX. the actual files in the fat32 ESP are all in the same MX folder though.

**edit*** just saw your edit with the simplification. will try that next go around.

Re: Will MX-25 come with secureboot?

Posted: Mon May 26, 2025 6:52 pm
by fehlix
dolphin_oracle wrote: Mon May 26, 2025 6:35 pm good point. I didn't get to the fallback, I manually selected the entry with "shim64.efi" in it. interestingly, this shows up in nvram as a lowercase mx where by the usual grub-install shows up with a capital MX. the actual files in the fat32 ESP are all in the same MX folder though.

**edit*** just saw your edit with the simplification. will try that next go around.
* booting from disks will make efi look for the first ESP on that drive and try to boot /EFI/BOOT/BOOTx64.efi.
* It would be safer sticking with lowercase only, to avoid any efi-fat-driver issue with lower/upper case, at least that's why ubuntu and debian always use lowercase,
and grub-install will always convert to lower case the string found in DISTRIB_ID of /etc/lsb-release for both the bootloader-id and the directory, if not manually specified with --bootloader-id=

Re: Will MX-25 come with secureboot?

Posted: Mon May 26, 2025 7:13 pm
by fehlix
2add: another issue with the MX Installer
when the nvram entry get generated as shown this example line::

Code: Select all

efibootmgr -qcL "MX Linux" -d /dev/vda -p 2 -l /EFI/MX/grubx64.efi
which would be adjusted to installing shim, ( maybe we use longer form for better readability):

Code: Select all

efibootmgr --quiet --create --label  "MX Linux" --disk /dev/vda --part 2 --loader '\EFI\MX\shimx64.efi'
This for sometime now always trigger a warning, b/c any existing "MX Linux" entry will not be replaced,
but an additional entry will be added.

Code: Select all

efibootmgr: ** Warning ** : Boot0001 has same label MX Linux
If you reinstall a further entry will be added, instead of replaced.
And the issue is: If the existing entry was made with a non-secureboot install , like this entry:

Code: Select all

Boot0001* MX Linux	HD(2,GPT,689045a6-184b-473e-8c0f-d962306d94a6,0x1000,0x100000)/File(\EFI\MX\grubx64.efi)
the user would now have two or more entries one which would not work with secureboot and identical labeled "MX Linux" one which would work:

Code: Select all

Boot000B* MX Linux	HD(2,GPT,689045a6-184b-473e-8c0f-d962306d94a6,0x1000,0x100000)/File(\EFI\MX\shimx64.efi)
So the logic with the installer seems to be broken to "replace" an existing entry, but of course only an entry related to that one ESP involved.
We could avoid this simply be going back what we had and keep bootloader-id and directory identical eg. just to "MX",
or just lowercase "mx" and let grub-install do this, b/c grub-install will replace an existing entry and would not create an additional one.

Re: Will MX-25 come with secureboot?

Posted: Mon May 26, 2025 8:34 pm
by dolphin_oracle
the shim entry would work whether secure boot enabled or not?

@fehlix

so something like this:

Code: Select all

 // Add a new NVRAM boot variable.
            if (fitesp != partman.mounts.end()) {
                const PartMan::NameParts &bs = PartMan::splitName(fitesp->second->name);
                
                //efi size & secureboot
                //if 32, don't bother with secure boot
                //if 64, check for secure boot shimx64.efi
                QString efitype;
                if (efisize==32){
                    efitype="/grubia32.efi";
                } else {
                    efitype="/grubx64.efi";
                    if (QFile("/usr/lib/shim/shimx64.efi").exists()){
                        efitype="/shimx64.efi";
                    }
                }
                proc.exec("efibootmgr", {"-qcL", loaderLabel, "-d", "/dev/"+bs.drive, "-p", bs.partition,
                    "-l", "/EFI/" + loaderID + efitype});
in this case, loaderLabel and loaderID are both lowercase (set earlier).

Re: Will MX-25 come with secureboot?

Posted: Mon May 26, 2025 9:06 pm
by fehlix
dolphin_oracle wrote: Mon May 26, 2025 8:34 pm the shim entry would work whether secure boot enabled or not?
yes! There is also an identical but unsigned shim, which would have the benefit to introduce
the dynamical fallback re-generation. The shim functionality
to look for fbx64.efi or for grubx64.efi within the same /EFI/BOOT directory,
is not dependent of signed or not. So having always shim involved may help not only with secure boot.
Also on LiveBoot it is using idetical way for non-secureboot , BOOTX64.efi is shimx64.efi
on the LiveESP, and it loads grubx64.efi found with the same directory, which further looks for grub.cfg under /boot/grub.
That's also the reason why in LiveBoot we have a fallback.efi, b/c on some older Dell liveboot efi-system always tried
to load fallback.efi instead of grubx64.efi. fallback.efi was an early name used by fedora not longer used and now only fbx64.efi is used.
BitJam found and fixed that historical bug for some of the older EFI-systems by introducing fallback.efi as a copy of grubx64.efi.

Re: Will MX-25 come with secureboot?

Posted: Tue May 27, 2025 1:38 pm
by fehlix
dolphin_oracle wrote: Mon May 26, 2025 8:34 pm so something like this:

Code: Select all

 // Add a new NVRAM boot variable.
            if (fitesp != partman.mounts.end()) {
                const PartMan::NameParts &bs = PartMan::splitName(fitesp->second->name);
                
                //efi size & secureboot
                //if 32, don't bother with secure boot
                //if 64, check for secure boot shimx64.efi
                QString efitype;
                if (efisize==32){
                    efitype="/grubia32.efi";
                } else {
                    efitype="/grubx64.efi";
                    if (QFile("/usr/lib/shim/shimx64.efi").exists()){
                        efitype="/shimx64.efi";
                    }
                }
                proc.exec("efibootmgr", {"-qcL", loaderLabel, "-d", "/dev/"+bs.drive, "-p", bs.partition,
                    "-l", "/EFI/" + loaderID + efitype});
in this case, loaderLabel and loaderID are both lowercase (set earlier).
Havn't seen you'r additon until just now..

* generation of an NVRAM boot variable with the current implementation fails to remove (or better update) an exsiting one
which makes whith every install attempt another boot-entry into the nvram.

* we have two shim's unsigned and signed:

Code: Select all

/usr/lib/shim/shimx64.efi
/usr/lib/shim/shimx64.efi.signed

where grub-install if secure-boot detected will use /usr/lib/shim/shimx64.efi.signed
So, as this is currently run after "grub-install --no-nvram ...",
we might check an existing shim at /EFI/loaderID/shimx64.efi, which was added by grub-install.
and use this , otherwise use grubx64.efi

Re: Will MX-25 come with secureboot?

Posted: Tue May 27, 2025 2:05 pm
by dolphin_oracle
fehlix wrote: Tue May 27, 2025 1:38 pm
Havn't seen you'r additon until just now..

* generation of an NVRAM boot variable with the current implementation fails to remove (or better update) an exsiting one
which makes whith every install attempt another boot-entry into the nvram.
yep, that will be the next thing. just trying to make something work now.
* we have two shim's unsigned and signed:

Code: Select all

/usr/lib/shim/shimx64.efi
/usr/lib/shim/shimx64.efi.signed

where grub-install if secure-boot detected will use /usr/lib/shim/shimx64.efi.signed
So, as this is currently run after "grub-install --no-nvram ...",
we might check an existing shim at /EFI/loaderID/shimx64.efi, which was added by grub-install.
and use this , otherwise use grubx64.efi
ah, gotcha.

Re: Will MX-25 come with secureboot?

Posted: Thu Jun 05, 2025 11:53 pm
by FullScale4Me
I spent some time going through multiple runs through of each section, completely in a bare-metal hardware sense. After each run-through, the NVram and SSD partitions were deleted to eliminate any digital cruft buildup :-)

Secure Boot: How to updated June 5, 2025. PDF 360 Kb

This version above is a thorough rework of the previously withdrawn long version. The short version was deemed by me and popular opinion as being too short.

Re: Will MX-25 come with secureboot?

Posted: Fri Jun 06, 2025 8:23 am
by MikeR
Minor nit:
@FullScale4Me
If I cut-&-paste
mokutil -–sb-state
from Section A, item 7
I get 'Invalid option'. It requires two hyphens...
HTH
Mike

Re: Will MX-25 come with secureboot?

Posted: Fri Jun 06, 2025 1:49 pm
by FullScale4Me
MikeR wrote: Fri Jun 06, 2025 8:23 am Minor nit:
@FullScale4Me
If I cut-&-paste
mokutil -–sb-state
from Section A, item 7
I get 'Invalid option'. It requires two hyphens...
HTH
Mike
Thanks. Next time I do live testing, I'll have the file on the USB to copy the commands into the terminal. No typing from memory as it missed, as you found, a typo. Ended up being a hyphen and an em-dash, the Libre Office Writer autocorrect swapped in.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited