MX and secure boot

[Jerry3904]

I know, thanks. But posts are hard to find and a Blog is easy. Plus I'm thinking of the general change in the Secure Boot scene.

[FullScale4Me]

I should have been clearer. My intent was to save Dolphin the pain of starting from a plain white screen for the first draft of the blog post.

It sorta has an anchor point on the MX WiKi article Dual Boot https://mxlinux.org/wiki/system/dual-boot/

[richb]

@Jerry3904 Agree Jerry. I was under the impression that MX KDE having an AHS kernel would not boot with secure boot enabled. But at this point I am not even sure KDE does have an AHS kernel. Trying to decipher all the posts on the topic has confused me. A single definitive blog entry would be very helpful.

[Charlie Brown]

In MXPI - Kernels section they're called "Debian ... (AHS)" .. therefore I was thinking that they were (originally) from Debian (hence signed).

[FullScale4Me]

Not mentioned in fehlix's post is the requirement of a TPM in either Firmware or hardware. This is to store Debian's local copy of their signing key.

Said differently - a PC that came with Windows 7 or older most likely will NOT support Secure Boot.

When I worked in PC retail sales we did sell a LOT of new (post Windows 8 release) PCs with a TPM data store implemented but a roll back windows 7 license as these buyers did NOT want "The Windows 8 virus!". IIRC we were still selling them (by special order) past the Windows 10 release of July 2015. So, there's several hundred of these out there just in central New Jersey!

[fehlix]

Not mentioned in fehlix's post is the requirement of a TPM in either Firmware or hardware. This is to store Debian's local copy of their signing key.

Nope, that's not an requirement for Secure Boot. Validation is done in shim , which is an signed efi-binary holding Debian's pub-key signed with Microsoft's signature. So no need to hold anywhere Debian's signing key except in shim which is on the ESP (EFI System Partition)
It goes very roughly this way:
UEFI system checks two files on the ESP first shimx64.efi, which is signed by Microsoft and this contains Debian's signing pub-key.

Next check is the efi-grub loader, where Debian's signed pub-key is used to verify Debian's signature of the signed efi-grub bootloader.

The signed grub-loader finally loads the kernel, which again is verified with help of Debian's signed pub-key. Further any kernel module is sb-verified check before loaded.

[FullScale4Me]

OK, so Today I Learned aka TIL!

So, what is MOKutil up to during the MX Linux installation process?

[fehlix]

@Jerry3904 Agree Jerry. I was under the impression that MX KDE having an AHS kernel would not boot with secure boot enabled. But at this point I am not even sure KDE does have an AHS kernel. Trying to decipher all the posts on the topic has confused me. A single definitive blog entry would be very helpful.

I think there was a change in MX23 KDE where AHS repo is enabled, but the kernel is Debian's signed kernel not one compiled by MX available on AHS-repo.

On MX-21.3 KDE we had the unsigned kernel vmlinuz-6.0.0-6mx-amd64 from ahs repo.

On MX-23.1_KDE we have now Debian's signed kernels vmlinuz-6.1.0-13-amd64 :
here to "view" or list the signature with the kernel:

Code: Select all

sbverify --list /boot/vmlinuz-6.1.0-13-amd64 
signature 1
image signature issuers:
 - /CN=Debian Secure Boot CA
image signature certificates:
 - subject: /CN=Debian Secure Boot Signer 2022 - linux
   issuer:  /CN=Debian Secure Boot CA

[fehlix]

OK, so Today I Learned aka TIL!

So, what is MOKutil up to during the MX Linux installation process?

mokutils is used for communicating with the secure key environment on the UEFI system,
e.g for implantation of new keys either signed or self genrated mok-keys (Machine Owner's Key)
Or for sending instruction to trigger a confirmation process to disable signature valdation in shim,
which is kind of disabling secure boot for Linux by keep secure boot enabled for Windows.

[richb]

@fehlix Thanks. That clears it up for me. I was conflating old information on MX 21 with MX 23.