Configure secure boot linux mint

Linux Mint Forums

how to setup Linux Mint with secure boot enabled.

Forum rules
Before you post please read how to get help. Topics in this forum are automatically closed 6 months after creation.

how to setup Linux Mint with secure boot enabled.

Post by martyfender » Sun Sep 08, 2019 10:11 pm

I don’t have a UEFI bios computer, but I am considering upgrading to a new one in the future and would like to know how to setup Linux Mint with secure boot enabled. I found this guide for Mint to add the EFI key.

I don’t want to do full disk encryption, but would like to import the EFI keys. Is this the way to do it, or are there simpler methods to do this? I do know it would be simpler to disable secure boot in the UEFI bios, but would it be better to import the keys to keep it enabled?

Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.

how to setup Linux Mint with secure boot enabled.

Post by athi » Sun Sep 08, 2019 10:44 pm

That is a long tutorial, not really sure where the EFI key importation is on that document. The basic is that when Mint is installed on UEFI enabled system, it will create a folder named Ubuntu (Mint is Ubuntu based) in the EFI partition with several files (shimx64.efi, grubx64.efi, and MokManager.efi) of which grubx64.efi is the Mint EFI key. After installation, you will enter UEFI setup and import Mint grubx64.efi into the secure boot allowable key database. This will make the Mint grubx64.efi key a trusted key and allow Mint to boot with secure boot enabled. The actual steps are different due to lack of standardization in UEFI implementation but the basic steps are the same. FYI, since secure boot only prevent booting of unauthorized O/S and not prevent installation of O/S, you can install Mint with secure boot enabled.

As far as keeping secure boot enabled or not, secure boot is not required for Mint operation so I see no need for secure boot.

how to setup Linux Mint with secure boot enabled.

Post by martyfender » Tue Sep 10, 2019 8:41 am

Re: how to setup Linux Mint with secure boot enabled.

Post by Sir Charles » Tue Sep 10, 2019 10:14 am

A web search on «secure boot compatible linux distribution» comes up with:
https://duckduckgo.com/?q=secure+boot+c . fsb&ia=web
You might be interested to have a look.

Re: how to setup Linux Mint with secure boot enabled.

Post by fabien85 » Tue Sep 10, 2019 1:09 pm

Ubuntu (on which Mint is based) is fully compatible with the Secure Boot specification.
So if the manufacturer did its job correctly (which some do not do, more on that later), then the install will just work with default Secure Boot active. Nothing particular to be done.

In details: on the EFI partition, ubuntu-based distros put their bootloader on EFI/ubuntu/ as athi said. in there, shimx64.efi is a signed binary which is secure boot compatible. It is signed with the Microsoft third party key which is normally stored in secure boot implementation (except for a few buggy manufacturers). Shim then checks that grubx64.efi is correctly signed by Canonical (the company producing Ubuntu) and if so it loads it. Then grub starts the bootloading, checks that the linux kernel is also signed by Canonical, and if so it gives control to the kernel.

An exception is Acer laptops. For them, after install you should be greeted by a black screen or a message «no bootable device». You then have to go in the firmware interface / BIOS, find the secure boot area, use «Select UEFI file as trusted for executing», navigate the EFI partition and choose EFI/ubuntu/shimx64.efi (you could also choose grubx64.efi, but grub is updated more frequently than shim and you will have to do the manipulation after each update).
Reference: https://itsfoss.com/no-bootable-device-found-ubuntu/

If you want to control completely secure boot yourself, e.g. get rid of the Microsoft keys stored in the NVRAM, put your own keys etc, then that’s a whole other story. It’s much more complex, newbye-unfriendly, and it depends a lot on what interfaces your manufacturer provides and whether or not they have bugs. You could read the following two references to start with:
https://www.rodsbooks.com/efi-bootloade . eboot.html
https://www.rodsbooks.com/efi-bootloade . ng-sb.html

Pjotr Level 23
Posts: 19057 Joined: Mon Mar 07, 2011 10:18 am Location: The Netherlands (Holland) 🇳🇱 Contact:

Источник

Configure secure boot linux mint

Linux Mint (but also Ubuntu) — How to enable UEFI Secure Boot with your own
Custom keys on PC with UEFI & HDD with GPT

Author: Naldi Stefano (linux22 at Mint Forum)

First release: April 2017

Last update: 11 August 2020

Hits since April 2017

This tutorial replace my old one at https://community.linuxmint.com/tutorial/view/2360 because malfunctioning and not updatable anymore.

Other tutorials concerning Linux Mint with Full Disk Encryption, directory /boot included:

Table of contents

GNU Free Documentation License

GNU GENERAL PUBLIC LICENSE

Disclaimer and acknowledgments

Useful links

How to enable UEFI Secure Boot with your own Custom keys

Step 1 — How to enable PC UEFI Secure Boot and put Secure Boot in Standard Mode

Step 2 — How to install Linux Mint FDE

Step 3 — How to enable PC UEFI Secure Boot, put Secure Boot in Custom Mode and Clear Secure Boot Data

Step 4 — How to create, enroll and activate your Secure Boot own Custom keys in your PC UEFI platform

Step 5 — How to sign and verify your booting files grubx64.efi and Bootx64.efi

Step 6 — Restart your PC UEFI with Secure Boot enabled in Custom Mode

Appendix A — How to set up your Custom keys and Microsoft keys together

Method 1 — Using the original Microsoft UEFI Secure Boot certificates of your PC UEFI platform

Method 2 — Using the original Microsoft UEFI Secure Boot certificates, downloaded from Microsoft repositories

Appendix B — How to run VirtualBox with Secure Boot enabled signing its modules with your own Custom keys

GNU Free Documentation License
Version 1.3, 3 November 2008

Linux Mint with Full Disk Encryption, directory /boot included — PC with firmware UEFI & HDD with GPT partitioning scheme — Booting with EFI STUB loader

Copyright (C) 2019 2020 2021 Naldi Stefano.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

You should have received a copy of the «GNU Free Documentation License» along with this document.

GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Linux Mint with Full Disk Encryption, directory /boot included — PC with firmware UEFI & HDD with GPT partitioning scheme — Booting with EFI STUB loader

Copyright (C) 2019 2020 2021 Naldi Stefano

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the «GNU General Public License» along with this program.

Disclaimer and acknolegments

I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with UEFI Secure Boot enabled. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 18.X, 19.X and 20.X (Cinnamon and Mate) and Ubuntu from 18.04.X to 20.04.X, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.
This tutorial is devoted to a real and hard problem, dealing with UEFI Secure Boot while running a non Windows operating system. Almost every computer sold today has UEFI and Secure Boot capability but its default configuration is done for Windows operating systems, like 8.1 and 10.
Here I expose my solution for enabling UEFI Secure Boot on a computer running Linux Mint and also with Full Disk Encryption. This solution provides a full set of Custom Keys (PK, KEK and db) generated by the user (the commands are extracted from ‘cryptboot’ package, developed by Michal Krenek ‘Mikos’ on https://github.com/xmikos/cryptboot). With this configuration you can reach the full control of your computer but you will be unable to install a Windows o.s. like 8.1 or 10 while Secure Boot is enabled, unless you decide to reinstall the Microsoft keys (in this case see Appendix A).
My first advice, if you want to install this solution, is that you MUST be familiar with UEFI configuration and with Secure Boot behaviour. My second advice, before attemping to try and install this solution, is that you become familiar with your PC UEFI Firmware Secure Boot configuration parameters and learn how to set them correctly and eventually how to restore the original standard keys (usually there is a specific command that restore Secure Boot in Standard Mode).
I want to thank Michal Krenek (Mikos) for its ‘cryptboot’ software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation. Altought this package seems developed for ArchLinux we can find within it the rights commands and advices for almost every Linux distribution.
As I always state it is better to try this solution with a virtual machine but in this case the only one supporting UEFI Secure Boot emulation for Linux is QEMU/KVM. I have tested this solution with QEMU/KVM and firmware OVMF simulating UEFI with Secure Boot enabled. At the moment it seems working smoothly.
The solution here described require a lot of terminal commands. If the user make a mistake and commit a wrong command he can damage/cancel the software structure of your PC UEFI firmware and HDD. So, if you commit the commands listed in this guide/tutorial using ‘Copy’ and ‘Paste’ pay attention to do not alter them.

Useful links

The topic for this tutorial at the Mint Forum is:

You can download the latest version of this tutorial in pdf format from my cloud storage at the link below:

Источник

Linux Mint Forums

Forum rules
Before you post please read how to get help. Topics in this forum are automatically closed 6 months after creation.

Configuring Secure Boot

Post by rustyp » Sat Sep 24, 2022 4:35 pm

I am having some sort of secure boot video driver issue I do not understand

Computer needs updating try to update get an error tells me to run a command in terminal to fix, after a few minutes a blue screen pops up with a message seen below you can click «OK» and the return button on the keyboard 100x and it does nothing you have to close the terminal manually then fight that being prompted some message I cant remember and your not allowed to cut and paste, I just fool with it until terminal closes, reboot and it boots normally,

Try to upgrade system and it starts the same cant update until you fix this secure boot thing.

NOTE: below is what was in the blue terminal window that would not close, it also would NOT allow me to copy and paste the entire contents of the terminal window for some unknown reason, maybe who ever wrote the error in the blue window did not want people to copy paste the entire error message?

Configuring Secure Boot ├────────────────────────┐
│ │
│ Your system has UEFI Secure Boot enabled.
│
│ UEFI Secure Boot requires additional configuration to work with
│ third-party drivers.
│
│ The system will assist you in configuring UEFI Secure Boot. To permit
│ the use of third-party drivers, a new Machine-Owner Key (MOK) has been
│ generated. This key now needs to be enrolled in your system’s firmware.
│
│ To ensure that this change is being made by you as an authorized user,
│ and not by an attacker, you must choose a password now and then confirm
│ the change after reboot using the same password, in both the «Enroll
│ MOK» and «Change Secure Boot state» menus that will be presented to you
│ when this system reboots.
│
│
│ │
└──────────────────────────────────────────

Shame the industry that writes «Error» messages does not include a Error Number #00000 so users can just search for Error #00000 and find solutions.

All I know for sure is EVERY ENCOUNTER I have had with «UEFI Secure Boot» is a nightmare if someone knows how to disable «UEFI Secure Boot» please let me know I have never had UEFI Secure Boot on past computers, first computer was a 486DX 33

Last edited by LockBot on Fri Mar 24, 2023 10:00 pm, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.

Before posting on this site I always verify I have the latest version of Linux Mint Cinnamon installed and run Update Manager.
Thanks.

Источник