Support for MX and antiX Linux distros
https://www.forum.mxlinux.org/
You can boot with MX Linux and Debian's signed kernel with secure boot enabled.txtinman wrote: Sun Oct 22, 2023 2:03 pm I've installed Debian 12 on an uefi system with secure boot enabled and it works fine. As MX 23 is based on Debian 12 I would expect it to install as well. Was something changed or deleted that prevents MX from working with secure boot?
You can secure-boot from a MX Live media with a Debian signed kernel (except the MX AHS iso). And you can also install MX Linux onto the drive using MX Installer when having secure boot enabled. To keep in mind: The installation has two major parts: The MX Linux system and the boot loader. The point is that current MX Installer would install an unsigned boot loader only. Which means with secure boot enabled you would need to boot into the MX Linux system either with help of another signed boot loader, e.g from another secure-boot capable installation or from the MX LiveUSB, which offers to search for and boot into installed system. So in short, you would tell people, currently MX Linux installation is not fully secure boot capable mainly due to support of other unsigned kernels, e.g. liquorix kernels. So in order to boot into the system easiest at least after the installation to turn off secure boot within the UEFI system setup (aka PC-BIOS system settings).j2mcgreg wrote: Sun Oct 22, 2023 8:01 pm @fehlix
Does this mean that we should stop telling prospective users to disable Secure Boot prior to installing MX?
Ok I gave it a try. I installed MX 23.1 KDE and it booted with secure boot enabled. It works fine except it does not recognize my Realtek wifi. I knew this going in. Sound works and works better than the other distros I've been trying to get to work with this computer.fehlix wrote: Sun Oct 22, 2023 5:47 pmYou can boot with MX Linux and Debian's signed kernel with secure boot enabled.txtinman wrote: Sun Oct 22, 2023 2:03 pm I've installed Debian 12 on an uefi system with secure boot enabled and it works fine. As MX 23 is based on Debian 12 I would expect it to install as well. Was something changed or deleted that prevents MX from working with secure boot?
E.g all 64bit MX ISO's except the ahs ISO do boot from DVD or LiveUSB with secureboot enabled.
For installed it would require to also get Debian's signed boot loader (which we have on the ISO.),
but that just one package to get installed.
As MX also supports non-signed kernels and non-signed dkms-wifi driver secure boot is not enabled OOTB,
b/c this would break booting with non-sigened kernel and may disable some wifi driver.
So the package installer couldn't find the 6.5 kernel despite it being in the list. I installed the 6.3 ahs kernel and it sees my wifi now. However something is wonky with the audio. In system settings/audio it tests fine. Click on left speaker and get "left front", and likewise the right speaker. But no sound comes out when youtube or other audio source plays. Guess I'll try another kernel.Charlie Brown wrote: Mon Oct 23, 2023 12:51 pm You can simply install the "Debian 6.5 AHS" kernel when on KDE with "MX Package Installer" with 2 clicks.
(or just download the deb files beforehand when you have internet with others).
I wasn't familiar with that kernel so I didn't try it. The 6.3 is working good, so I may leave it for now.
Please post QSI (aka Quick System Info). Run the tool found in the menu (or type "qsi" in the search field)txtinman wrote: Mon Oct 23, 2023 2:07 pmSo the package installer couldn't find the 6.5 kernel despite it being in the list. I installed the 6.3 ahs kernel and it sees my wifi now. However something is wonky with the audio. In system settings/audio it tests fine. Click on left speaker and get "left front", and likewise the right speaker. But no sound comes out when youtube or other audio source plays. Guess I'll try another kernel.Charlie Brown wrote: Mon Oct 23, 2023 12:51 pm You can simply install the "Debian 6.5 AHS" kernel when on KDE with "MX Package Installer" with 2 clicks.
(or just download the deb files beforehand when you have internet with others).
Didn't take long, just a reboot.
So, again MX-23.1 seems to boot just fine with secure boot enabled. Even the AHS version.
Here you go-fehlix wrote: Tue Oct 24, 2023 2:41 pmPlease post QSI (aka Quick System Info). Run the tool found in the menu (or type "qsi" in the search field)txtinman wrote: Mon Oct 23, 2023 2:07 pmSo the package installer couldn't find the 6.5 kernel despite it being in the list. I installed the 6.3 ahs kernel and it sees my wifi now. However something is wonky with the audio. In system settings/audio it tests fine. Click on left speaker and get "left front", and likewise the right speaker. But no sound comes out when youtube or other audio source plays. Guess I'll try another kernel.Charlie Brown wrote: Mon Oct 23, 2023 12:51 pm You can simply install the "Debian 6.5 AHS" kernel when on KDE with "MX Package Installer" with 2 clicks.
(or just download the deb files beforehand when you have internet with others).
Didn't take long, just a reboot.
So, again MX-23.1 seems to boot just fine with secure boot enabled. Even the AHS version.
and click "Copy for Forum". Now paste the content including code-tags like those [code]here[/code].
Thanks
Code: Select all
System:
Kernel: 6.3.0-2mx-ahs-amd64 [6.3.11-1~mx23ahs] arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
parameters: BOOT_IMAGE=/boot/vmlinuz-6.3.0-2mx-ahs-amd64 root=UUID=<filter> ro quiet splash
Desktop: KDE Plasma v: 5.27.5 wm: kwin_x11 vt: 7 dm: SDDM Distro: MX-23.1_KDE_x64 Libretto
October 15 2023 base: Debian GNU/Linux 12 (bookworm)
Machine:
Type: Desktop Mobo: N/A model: N/A serial: <superuser required> UEFI: American Megatrends
v: CK12V101 date: 08/11/2022
Battery:
Device-1: hidpp_battery_0 model: Logitech Wireless Keyboard serial: <filter>
charge: 55% (should be ignored) rechargeable: yes status: discharging
CPU:
Info: model: Intel Core i7-10810U bits: 64 type: MT MCP arch: Comet Lake gen: core 10 level: v3
note: check built: 2020 process: Intel 14nm family: 6 model-id: 0xA6 (166) stepping: 0
microcode: 0xF8
Topology: cpus: 1x cores: 6 tpc: 2 threads: 12 smt: enabled cache: L1: 384 KiB
desc: d-6x32 KiB; i-6x32 KiB L2: 1.5 MiB desc: 6x256 KiB L3: 12 MiB desc: 1x12 MiB
Speed (MHz): avg: 1541 high: 1600 min/max: 400/4900 scaling: driver: intel_pstate
governor: powersave cores: 1: 1600 2: 1600 3: 1600 4: 1600 5: 1600 6: 1600 7: 1600 8: 1600
9: 1600 10: 1600 11: 900 12: 1600 bogomips: 38399
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Vulnerabilities:
Type: itlb_multihit status: KVM: VMX disabled
Type: l1tf status: Not affected
Type: mds status: Not affected
Type: meltdown status: Not affected
Type: mmio_stale_data mitigation: Clear CPU buffers; SMT vulnerable
Type: retbleed mitigation: Enhanced IBRS
Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
Type: spectre_v2 mitigation: Enhanced / Automatic IBRS, IBPB: conditional, RSB filling,
PBRSB-eIBRS: SW sequence
Type: srbds status: Not affected
Type: tsx_async_abort status: Not affected
Graphics:
Device-1: Intel Comet Lake UHD Graphics driver: i915 v: kernel arch: Gen-9.5 process: Intel 14nm
built: 2016-20 ports: active: HDMI-A-1 empty: HDMI-A-2 bus-ID: 00:02.0 chip-ID: 8086:9bca
class-ID: 0300
Display: x11 server: X.Org v: 1.21.1.7 with: Xwayland v: 22.1.9 compositor: kwin_x11 driver: X:
loaded: modesetting unloaded: fbdev,vesa dri: iris gpu: i915 display-ID: :0 screens: 1
Screen-1: 0 s-res: 1680x1050 s-dpi: 96 s-size: 443x277mm (17.44x10.91") s-diag: 522mm (20.57")
Monitor-1: HDMI-A-1 mapped: HDMI-1 model: Samsung serial: <filter> built: 2011 res: 1680x1050
hz: 60 dpi: 267 gamma: 1.2 size: 160x90mm (6.3x3.54") diag: 801mm (31.5") ratio: 16:9 modes:
max: 1920x1080 min: 720x400
API: OpenGL v: 4.6 Mesa 23.1.2-1~mx23ahs renderer: Mesa Intel UHD Graphics (CML GT2)
direct-render: Yes
Audio:
Device-1: Intel Comet Lake PCH-LP cAVS driver: sof-audio-pci-intel-cnl
alternate: snd_hda_intel,snd_sof_pci_intel_cnl bus-ID: 00:1f.3 chip-ID: 8086:02c8 class-ID: 0401
API: ALSA v: k6.3.0-2mx-ahs-amd64 status: kernel-api tools: alsamixer,amixer
Server-1: PipeWire v: 0.3.65 status: active with: 1: pipewire-pulse status: active
2: wireplumber status: active 3: pipewire-alsa type: plugin 4: pw-jack type: plugin
tools: pactl,pw-cat,pw-cli,wpctl
Network:
Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet driver: r8169 v: kernel pcie:
gen: 1 speed: 2.5 GT/s lanes: 1 port: 4000 bus-ID: 01:00.0 chip-ID: 10ec:8168 class-ID: 0200
IF: eth0 state: down mac: <filter>
Device-2: Realtek driver: rtw89_8852be v: kernel modules: wl pcie: gen: 1 speed: 2.5 GT/s
lanes: 1 port: 3000 bus-ID: 02:00.0 chip-ID: 10ec:b852 class-ID: 0280
IF: wlan0 state: up mac: <filter>
Bluetooth:
Device-1: Realtek Bluetooth Radio type: USB driver: btusb v: 0.8 bus-ID: 1-7:4 chip-ID: 0bda:b85b
class-ID: e001 serial: <filter>
Report: hciconfig ID: hci0 rfk-id: 1 state: up address: <filter>
Info: acl-mtu: 1021:6 sco-mtu: 255:12 link-policy: rswitch hold sniff park
link-mode: peripheral accept service-classes: rendering, capturing, object transfer, audio,
telephony
Drives:
Local Storage: total: 2.29 TiB used: 25.29 GiB (1.1%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/sda maj-min: 8:0 model: FPT330M8SSD512G size: 476.94 GiB block-size: physical: 512 B
logical: 512 B speed: 6.0 Gb/s type: SSD serial: <filter> rev: X1.5 scheme: GPT
ID-2: /dev/sdb maj-min: 8:16 type: USB vendor: Seagate model: Expansion size: 1.82 TiB
block-size: physical: 4096 B logical: 512 B type: N/A serial: <filter> rev: 0710 scheme: GPT
Partition:
ID-1: / raw-size: 476.69 GiB size: 468.13 GiB (98.21%) used: 25.29 GiB (5.4%) fs: ext4
dev: /dev/sda2 maj-min: 8:2
ID-2: /boot/efi raw-size: 256 MiB size: 252 MiB (98.46%) used: 274 KiB (0.1%) fs: vfat
dev: /dev/sda1 maj-min: 8:1
Swap:
Kernel: swappiness: 15 (default 60) cache-pressure: 100 (default)
ID-1: swap-1 type: file size: 4 GiB used: 0 KiB (0.0%) priority: -2 file: /swap/swap
Sensors:
System Temperatures: cpu: 65.0 C pch: 61.0 C mobo: N/A
Fan Speeds (RPM): N/A
Repos:
Packages: pm: dpkg pkgs: 2562 libs: 1445 tools: apt,apt-get,aptitude,nala pm: rpm pkgs: 0
pm: flatpak pkgs: 0
No active apt repos in: /etc/apt/sources.list
Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
1: deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
Active apt repos in: /etc/apt/sources.list.d/debian.list
1: deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
2: deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
Active apt repos in: /etc/apt/sources.list.d/mx.list
1: deb http://mirrors.rit.edu/mxlinux/mx-packages/mx/repo/ bookworm main non-free
2: deb http://mirrors.rit.edu/mxlinux/mx-packages/mx/repo/ bookworm ahs
Info:
Processes: 302 Uptime: 5m wakeups: 3 Memory: 15.5 GiB used: 2.55 GiB (16.4%) Init: SysVinit
v: 3.06 runlevel: 5 default: graphical tool: systemctl Compilers: gcc: 12.2.0 alt: 12
Client: shell wrapper v: 5.2.15-release inxi: 3.3.26
Boot Mode: UEFIWithin QSI the boot mode is indicated. In case of enabled secure boot it would have been shown as such .txtinman wrote: Thu Oct 26, 2023 9:51 amHere you go-fehlix wrote: Tue Oct 24, 2023 2:41 pmPlease post QSI (aka Quick System Info). Run the tool found in the menu (or type "qsi" in the search field)txtinman wrote: Mon Oct 23, 2023 2:07 pm So, again MX-23.1 seems to boot just fine with secure boot enabled. Even the AHS version.
and click "Copy for Forum". Now paste the content including code-tags like those [code]here[/code].
ThanksCode: Select all
System: Kernel: 6.3.0-2mx-ahs-amd64 [6.3.11-1~mx23ahs] arch: x86_64 bits: 64 compiler: gcc v: 12.2.0 parameters: BOOT_IMAGE=/boot/vmlinuz-6.3.0-2mx-ahs-amd64 root=UUID=<filter> ro quiet splash Desktop: KDE Plasma v: 5.27.5 wm: kwin_x11 vt: 7 dm: SDDM Distro: MX-23.1_KDE_x64 Libretto October 15 2023 base: Debian GNU/Linux 12 (bookworm) Info: Processes: 302 Uptime: 5m wakeups: 3 Memory: 15.5 GiB used: 2.55 GiB (16.4%) Init: SysVinit v: 3.06 runlevel: 5 default: graphical tool: systemctl Compilers: gcc: 12.2.0 alt: 12 Client: shell wrapper v: 5.2.15-release inxi: 3.3.26 Boot Mode: UEFI
Code: Select all
mokutil --sb-state
You're right. It is disabled, but how? I didn't do it. In the bios setup page there isn't a secure boot toggle and the manufacturer said it couldn't be disabled. Maybe you have to install a signed kernel and then install the unsigned one?fehlix wrote: Thu Oct 26, 2023 12:41 pmWithin QSI the boot mode is indicated. In case of enabled secure boot it would have been shown as such .txtinman wrote: Thu Oct 26, 2023 9:51 amHere you go-fehlix wrote: Tue Oct 24, 2023 2:41 pm
Please post QSI (aka Quick System Info). Run the tool found in the menu (or type "qsi" in the search field)
and click "Copy for Forum". Now paste the content including code-tags like those [code]here[/code].
ThanksCode: Select all
System: Kernel: 6.3.0-2mx-ahs-amd64 [6.3.11-1~mx23ahs] arch: x86_64 bits: 64 compiler: gcc v: 12.2.0 parameters: BOOT_IMAGE=/boot/vmlinuz-6.3.0-2mx-ahs-amd64 root=UUID=<filter> ro quiet splash Desktop: KDE Plasma v: 5.27.5 wm: kwin_x11 vt: 7 dm: SDDM Distro: MX-23.1_KDE_x64 Libretto October 15 2023 base: Debian GNU/Linux 12 (bookworm) Info: Processes: 302 Uptime: 5m wakeups: 3 Memory: 15.5 GiB used: 2.55 GiB (16.4%) Init: SysVinit v: 3.06 runlevel: 5 default: graphical tool: systemctl Compilers: gcc: 12.2.0 alt: 12 Client: shell wrapper v: 5.2.15-release inxi: 3.3.26 Boot Mode: UEFI
So, as mentioned you won't be able to boot an unsigned kernel when secure boot was enabled.
And all MX compiled ahs kernels are not signed.
You can check by yourself the secure boot state by running this:Code: Select all
mokutil --sb-state
:)https://www.kubuntuforums.net/forum/currently-supported-releases/kubuntu-23-04-lunar-lobster/hardware-support-bf/674575-can-t-get-audio-to-work-with-new-computer-solved-maybe-not-what-you-thought?p=674613#post674613 wrote:
On some computers, such as my HP laptop, it's hidden behind an admin password.
Seems to already exist in the form of a post (and a link to another) viewtopic.php?p=705225#p705225Jerry3904 wrote: Thu Oct 26, 2023 3:49 pm @dolphin_oracle Would it be a good idea to have a single clear Blog entry on this topic sometime? (Hope you didn't already do one...)
Nope, that's not an requirement for Secure Boot. Validation is done in shim , which is an signed efi-binary holding Debian's pub-key signed with Microsoft's signature. So no need to hold anywhere Debian's signing key except in shim which is on the ESP (EFI System Partition)FullScale4Me wrote: Thu Oct 26, 2023 4:34 pm Not mentioned in fehlix's post is the requirement of a TPM in either Firmware or hardware. This is to store Debian's local copy of their signing key.
I think there was a change in MX23 KDE where AHS repo is enabled, but the kernel is Debian's signed kernel not one compiled by MX available on AHS-repo.richb wrote: Thu Oct 26, 2023 4:16 pm @Jerry3904 Agree Jerry. I was under the impression that MX KDE having an AHS kernel would not boot with secure boot enabled. But at this point I am not even sure KDE does have an AHS kernel. Trying to decipher all the posts on the topic has confused me. A single definitive blog entry would be very helpful.
Code: Select all
sbverify --list /boot/vmlinuz-6.1.0-13-amd64
signature 1
image signature issuers:
- /CN=Debian Secure Boot CA
image signature certificates:
- subject: /CN=Debian Secure Boot Signer 2022 - linux
issuer: /CN=Debian Secure Boot CA
mokutils is used for communicating with the secure key environment on the UEFI system,FullScale4Me wrote: Thu Oct 26, 2023 5:17 pm OK, so Today I Learned aka TIL!
So, what is MOKutil up to during the MX Linux installation process?