Questions tagged [secure-boot]
Questions for UEFI Secure-Boot, Secure-Boot Key Signing and Management
123 questions
1
vote
0
answers
54
views
Why is my unsigned BOOTX64.EFI able to boot with Secure Boot enabled?
I am trying to understand Secure Boot and what it is doing on my system. I am using systemd-boot as my bootloader, not shim or GRUB, and Secure Boot is reported as enabled: running mokutil --sb-state ...
- 11
0
votes
0
answers
189
views
How to secure boot raspberry pi4 with u-boot yocto image
The goal is to sign the mender yocto image and run it on secure boot enabled raspberry pi.
I have raspberrypi-4 and the yocto image from mender (open source OTA platform).
To give a quick try here is ...
- 1
0
votes
1
answer
85
views
Can DPDK Work With UEFI SecureBoot Enabled - Kernel Lockdown Mode?
Apologies in advance if I have incorrect assumptions in the post.
I'm still getting the hang of DPDK.
Basically, I am trying to utilize DPDK on a Generation 2 Hyper-V VM that has Secure Boot enabled.
...
- 1
0
votes
1
answer
134
views
Debian FAI live system can't boot with secure boot enabled
I made a custom live system using the Debian FAI service. I can't boot it with secure boot as my laptop is not recognizing the signature somehow. But I can still boot my currently installed Debian ...
- 831
2
votes
1
answer
244
views
Shim boot loader: System is compromised when using certificate, but not with hash
I am trying to boot a Linux kernel with efi stub enabled using Red Hat's Shim https://github.com/rhboot/shim.
I can boot the system if I enroll the hash of my efi stub (selecting GRUBX64.EFI), but ...
- 131
1
vote
1
answer
2k
views
About Secure Boot, MOK and NVRAM
Good evening, after searching on google I didn't find the answer to my question.
When installing a distribution such as Ubuntu with secure boot activated, the installer creates a MOK key in the NVRAM ...
user611925
0
votes
0
answers
111
views
Mass install linux by dd to drive directly?
I need to install an custom OS to many similar/identical laptops. Would it work to live boot a laptop and dd the disk from a template laptop to the new one? Is it possible to trigger secure boot key ...
- 61
0
votes
3
answers
1k
views
How and when is `/sys/kernel/security/tpm0/binary_bios_measurements` exposed?
Currently, I try to understand how a measured boot is working and what components log what in which pcr of a tpm2.
I have a test-setup with uefi-secure boot enabled and a tpm2 attached in a kvm ...
- 101
0
votes
1
answer
1k
views
How do I enable UEFI secure boot for a linux build made with yocto?
I'm producing a yocto build, and want to enable UEFI Secure Boot on the intel machine I'm using. This is a pretty basic yocto build, using core-image-minimal and meta-intel. The artifacts it ...
- 45
0
votes
1
answer
2k
views
Update NVRAM so that shimx64.efi is run instead of grubx64.efi on Debian system for secure boot
I want to configure my Debian to boot with secure boot enabled but it doesn't and here is why...
OS specific boot loaders are stored on the ESP partition which is mounted in /boot/efi
Debian system ...
- 816
0
votes
1
answer
733
views
"error: /boot/vmlinuz-6.6.9-amd64 has invalid signature" with secure boot on in Kali Linux
When I try to run my Kali Linux system with secure boot on, GRUB returns error: /boot/vmlinuz-6.6.9-amd64 has invalid signature. I don't want to turn off secure boot. I have followed the directions ...
- 766
0
votes
0
answers
453
views
How can Linux hibernation be enabled under UEFI Secure Boot on RHEL / RockyLinux / AlmaLinux?
When running under UEFI Secure Boot with a current Linux distribution, "kernel lockdown" will be instated. Multiple kernel messages along the lines of
Lockdown: swapper/0: hibernation is ...
- 319
0
votes
1
answer
3k
views
Signing Nvidia drivers for Secure Boot - Nvidia module location
I want to sign my nvidia driver so I can use it with Secure Boot.
I'm trying to follow these instructions for nvidia driver:
https://wiki.debian.org/SecureBoot#Using_your_key_to_sign_modules_....
- 133
1
vote
1
answer
2k
views
MOK signed NVIDIA drivers are not loading after some time
From time to time my NVIDIA drivers (signed with MOK) are not being loaded on my dual boot machine (Ubuntu 22.04 and Windows 11). I'm resolving the issue by reinstalling the same drivers with the same ...
- 13
0
votes
1
answer
2k
views
How to configure Secure Boot with own keys and import Microsoft KEK and DB certificates?
I am in the process of configuring Secure Boot with my own keys (PK, KEK and DB). And so far I have done everything:
Building Unified Kernel Image (UKI)
Making standalone GRUB binary
Generating own ...
user536950
2
votes
1
answer
219
views
With Unified Kernel Images, how are custom initrd scenarios (such as multipath boot) addressed?
I was looking at the Fedora change set for 38 and saw this which seems like a neat idea but I was wondering how this affects systems that need custom files to be present in the initrd. One example is ...
- 17.3k
0
votes
1
answer
764
views
Puppy Linux secure boot key
I want to sometimes use Linux, sometimes windows.
I found out that, Puppy Linux is small, I can install it on a USB. But the problem is, if I click on my USB in the boot menu, I have to disable secure ...
0
votes
0
answers
2k
views
Grub loads unsigned kernel with secure boot enabled
I am currently dual booting Gentoo and Windows (on two different disks). I boot on the linux drive with grub2, where I can choose either Gentoo or Windows (added by os-prober).
Recently, I updated ...
- 1
1
vote
1
answer
858
views
Is there a downside to a signed kernel?
Mostly a general linux question, but where it needs to be specific I am referencing Debian 12 Bookworm amd64 UEFI booting through grub(not direct kernel stub).
I have secure boot disabled in firmware ...
- 278
2
votes
1
answer
1k
views
What is this update exactly designed for? (new BIOS?)
I own a rather older piece of server, Dell PowerEdge T20, with the latest BIOS version A20, link to Dell updates, screen of the update in case link goes dead in time:
This morning, when SSH'd into ...
- 31.3k
1
vote
0
answers
3k
views
USB Bootable gparted supporting Secure Boot
I want to be able to move and resize partitions on my systems, so I wanted to make a live GParted USB, thing is, it doesn't support Secure Boot, Ubuntu is overkill and takes long to boot (and ...
- 1,859
2
votes
1
answer
3k
views
Arch Linux and secure boot issues
I want to install arch linux on my laptop, but I want to be able to play my games that require secure boot on windows 10. I found a tutorial to make it secure boot compatible:
Flash the ISO on the usb ...
- 21
0
votes
0
answers
2k
views
Can't install Pop!_OS because secure boot won't disable
I'm trying to install Pop!_OS on my Windows 10 Acer Aspire E5-573G from a USB stick but I keep getting this message:
error: /casper_pop-os_22.04_amd64_nvidia_debug_125/vmlinuz.efi has invalid ...
1
vote
2
answers
7k
views
Reset my BIOS. Now how do I fix "Invalid signature detected. Check Secure Boot Policy in Setup."?
Follow up to Grub updated and now I can't get in to the BIOS, how can I fix it?. Short version: couldn't boot to a USB thumbdrive after updating grub. I reset the BIOS to factory default (with the ...
- 1,237
1
vote
0
answers
418
views
external boot efi shell when secure boot is turned on
I don't have a built in uefi shell in my laptop and I have secure boot turned on.
I would be happy for a signed uefi shell that I can boot into (edk2, tianocore shell.efi files are not signed and I ...
- 11