MX and secure boot

[txtinman]

I've installed Debian 12 on an uefi system with secure boot enabled and it works fine. As MX 23 is based on Debian 12 I would expect it to install as well. Was something changed or deleted that prevents MX from working with secure boot?

[j2mcgreg]

We don't have a signed kernel on offer.

[Charlie Brown]

The default kernel (6.1) is directly from Debian.

$ apt show linux-image-6.1.0-13-amd64
Package: linux-image-6.1.0-13-amd64
Version: 6.1.55-1
Built-Using: linux (= 6.1.55-1)
Priority: optional
Section: kernel
Source: linux-signed-amd64 (6.1.55+1)

Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>

Installed-Size: 408 MB
Depends: kmod, linux-base (>= 4.3~), initramfs-tools (>= 0.120+deb8u2) | linux-initramfs-tool
Recommends: firmware-linux-free, apparmor
Suggests: linux-doc-6.1, debian-kernel-handbook, grub-pc | grub-efi-amd64 | extlinux

Conflicts: linux-image-6.1.0-13-amd64-unsigned
Breaks: fwupdate (<< 12-7), initramfs-tools (<< 0.120+deb8u2), wireless-regdb (<< 2019.06.03-1~)

Replaces: linux-image-6.1.0-13-amd64-unsigned

Homepage: https://www.kernel.org/

Download-Size: 68.7 MB

APT-Sources: http://debian.ipacct.com/debian bookworm/main amd64 Packages

Description: Linux 6.1 for 64-bit PCs (signed)
The Linux kernel 6.1 and modules for use on PCs with AMD64, Intel 64 or VIA Nano processors.

The kernel image and modules are signed for use with Secure Boot.

[fehlix]

I've installed Debian 12 on an uefi system with secure boot enabled and it works fine. As MX 23 is based on Debian 12 I would expect it to install as well. Was something changed or deleted that prevents MX from working with secure boot?

You can boot with MX Linux and Debian's signed kernel with secure boot enabled.
E.g all 64bit MX ISO's except the ahs ISO do boot from DVD or LiveUSB with secureboot enabled.
For installed it would require to also get Debian's signed boot loader (which we have on the ISO.),
but that just one package to get installed.
As MX also supports non-signed kernels and non-signed dkms-wifi driver secure boot is not enabled OOTB,
b/c this would break booting with non-sigened kernel and may disable some wifi driver.

[j2mcgreg]

@fehlix
Does this mean that we should stop telling prospective users to disable Secure Boot prior to installing MX?

[fehlix]

@fehlix
Does this mean that we should stop telling prospective users to disable Secure Boot prior to installing MX?

You can secure-boot from a MX Live media with a Debian signed kernel (except the MX AHS iso). And you can also install MX Linux onto the drive using MX Installer when having secure boot enabled. To keep in mind: The installation has two major parts: The MX Linux system and the boot loader. The point is that current MX Installer would install an unsigned boot loader only. Which means with secure boot enabled you would need to boot into the MX Linux system either with help of another signed boot loader, e.g from another secure-boot capable installation or from the MX LiveUSB, which offers to search for and boot into installed system. So in short, you would tell people, currently MX Linux installation is not fully secure boot capable mainly due to support of other unsigned kernels, e.g. liquorix kernels. So in order to boot into the system easiest at least after the installation to turn off secure boot within the UEFI system setup (aka PC-BIOS system settings).

[operadude]

Thank you @fehlix for the explanation.

I hadn't thought about it, but my experience of booting-up lots of PCs and Laptops with an MX-Live USB, the machines all boot OK, without me having to turn off Secure Boot in the BIOS/UEFI settings.

As you say, post-install is a different story, but easily corrected by turning-off Secure Boot.

Thanks again for your clarity!

[txtinman]

In my case secure boot cannot be disabled. I was trying to install the AHS version also. I found that on the computer I have the MX versions without AHS do not recognize the wifi card.

[txtinman]

I've installed Debian 12 on an uefi system with secure boot enabled and it works fine. As MX 23 is based on Debian 12 I would expect it to install as well. Was something changed or deleted that prevents MX from working with secure boot?

You can boot with MX Linux and Debian's signed kernel with secure boot enabled.
E.g all 64bit MX ISO's except the ahs ISO do boot from DVD or LiveUSB with secureboot enabled.
For installed it would require to also get Debian's signed boot loader (which we have on the ISO.),
but that just one package to get installed.
As MX also supports non-signed kernels and non-signed dkms-wifi driver secure boot is not enabled OOTB,
b/c this would break booting with non-sigened kernel and may disable some wifi driver.

Ok I gave it a try. I installed MX 23.1 KDE and it booted with secure boot enabled. It works fine except it does not recognize my Realtek wifi. I knew this going in. Sound works and works better than the other distros I've been trying to get to work with this computer.

Since KDE worked, I decided to try the AHS version with xfce. This version installed and booted also with secure boot enabled. Sees my Realtek card and sound works also, although not as well as the KDE version. The KDE version has the AHS repos installed, so maybe I can install a different kernel to get my wifi working as I would rather use KDE than xfce.

So it would appear that the 23.1 version will work with secure boot enabled. That's good for those of us who can't disable it in the bios.

[Charlie Brown]

You can simply install the "Debian 6.5 AHS" kernel when on KDE with "MX Package Installer" with 2 clicks.

(or just download the deb files beforehand when you have internet with others).