- Linux Mint Forums
- [SOLVED] Installing Linux Mint 20.3 on a Dell Inspiron 5676 with Secure Boot.
- [SOLVED] Installing Linux Mint 20.3 on a Dell Inspiron 5676 with Secure Boot.
- 4. Now I am afraid to install the proprietary NVidia drivers, because I didn't enroll MOK and am afraid that it won't work.
- 5. And, generally, what does this "Enroll MOK" thing do after the 1-st reboot?
- 5.1. Does it mean that it puts some Ubuntu keys in the BIOS?
- 5.2. Does it mean that if I do it, then all future proprietary kernel modules that I install will happen smoothly without enrolling their own MOKs?
Linux Mint Forums
[SOLVED] Installing Linux Mint 20.3 on a Dell Inspiron 5676 with Secure Boot.
Forum rules
There are no such things as «stupid» questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help. Topics in this forum are automatically closed 6 months after creation.
[SOLVED] Installing Linux Mint 20.3 on a Dell Inspiron 5676 with Secure Boot.
Post by Mint Leaf » Sun May 22, 2022 5:30 pm
I have just purchased a used computer and plan to install Linux Mint on it.
Here are the specs as far as I know, I have yet to open the case and poke around inside it yet:
CPU: AMD Ryzen 7 2700X Pinnacle Ridge 12nm Technology RAM: 16.0GB Dual-Channel Unknown @ 1197MHz (17-17-17-39) Motherboard: Dell Inc. 0VYXHD (AM4) Graphics: ASUS VP28U (1920x1080@59Hz) 4096MB ATI AMD Radeon RX 580 (Dell) Storage 931GB Seagate ST1000DM010-2Ep102 (SATA)
After reading the forum a bit it appears that the install may have a steps that I'm not familiar with involving the installation of the drivers for the AMD hardware.
So what I'm asking is: Is there anything I should know before I get started and try to install the Mint (Cinnamon, MATE or Xfce) OS onto this computer?
I think the computer currently has Windows 10 installed so if there is any system information you think that I should look at in windows before blanking it, please let me know.
I've also purchased a new SATA harddrive to replace the one this computer came with so Mint will be installing onto a blank Harddrive. Unless I'm mistaken Linux Mint can format and partition this blank drive when it is being installed so that shouldn't be a problem.
Sadly this PC did not come with a DVD drive so I'll be trying to use a bootable USB, which is something I've read can be done with Linux Mint but have yet to attempt personally.
Any tips or words of caution would be greatly appreciated.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
"Enroll MOK" dialog after the 1-st reboot when you install Linux Mint 20.1 - what is it for (secure boot)?
however, on my installation there is no such command update-secureboot-policy .
- Now I am afraid to install the proprietary NVidia drivers, because I didn't enroll MOK and am afraid that it won't work.
- And, generally, what does this "Enroll MOK" thing do after the 1-st reboot? I really don't understand it. Does it mean that it puts some Ubuntu keys in the BIOS? Does it mean that if I do it, then all future proprietary kernel modules that I install will happen smoothly without enrolling their own MOKs?
2 Answers 2
on my installation there is no such command update-secureboot-policy
On my Ubuntu system that command is in the shim-signed package.
1. What is the initial "Continue boot" or "Enroll MOK" dialog that appears when you install Mint and reboot for the first time?
That is produced by shimx64.efi when it detects that there is a new MOK in a OS-accessible UEFI NVRAM variable, waiting to be installed.
2. If I had enrolled the MOK key, would Virtualbox have installed without asking me to do anything?
2.5. What exactly does VirtualBox when it enrolls its own key?
It probably just triggers update-secureboot-policy --enroll-key if it's available.
3. How can I do the "Enroll MOK" now after I have installed and configured my system and really don't want to re-install again?
sudo apt install shim-signed sudo update-secureboot-policy --enroll-key
4. Now I am afraid to install the proprietary NVidia drivers, because I didn't enroll MOK and am afraid that it won't work.
Technically not a question, but don't worry. If you install the NVidia driver through Ubuntu's/Mint's 3rd-party driver management tool, it will probably just do the steps listed in 3.) above for you if you haven't already done that.
If you use the installation package downloaded directly from NVidia, first install a dkms management tool for third-party modules, and then run the NVidia driver installer:
sudo apt install dkms sudo ./NVIDIA-Linux-x86_64-.run --dkms \ --module-signing-secret-key=/var/lib/shim-signed/mok/MOK.priv \ --module-signing-public-key=/var/lib/shim-signed/mok/MOK.der
dkms automates the rebuilding of the 3rd-party kernel modules (like the NVidia driver's) so you won't have to do it manually whenever you receive a kernel security update.
5. And, generally, what does this "Enroll MOK" thing do after the 1-st reboot?
If you don't do the "Enroll MOK" on the next reboot right after running update-secureboot-policy --enroll-key , the enrollment procedure will be on hold, waiting for you to either complete it by selecting "Enroll MOK" on a subsequent boot, or to cancel it with sudo mokutil --revoke-import within Linux.
Once you've completed the MOK enrollment procedure, you should not see that prompt again unless you lose the old MOK and enroll a new one.
5.1. Does it mean that it puts some Ubuntu keys in the BIOS?
No, the enrollment procedure makes a key that is unique to your system and places it in /var/lib/shim-signed/mok/ accessible to root only, so the kernel module installation processes can use it, and enrolls a copy of the public part of the key to an UEFI NVRAM variable, so it can be used by shimx64.efi when booting.
5.2. Does it mean that if I do it, then all future proprietary kernel modules that I install will happen smoothly without enrolling their own MOKs?
That's the idea, yes. Unfortunately not all third-party kernel module source packages have not yet been updated to seamlessly detect the presence of MOK and automatically use it if necessary.