NOTE ON 24-April-2024 Honestly secure boot is super annoying on Debian. In Ubuntu its automatic, but Debian everytime there is a kernel or Nvidia driver update you have to manually resign all the drivers which I find of questionable value. Im not sure what security benefit is actually being achieved here, at high cost and annoyance. Also the signing code has stopped working due to some bug at the moment so its not even super reliable when you cant sign your graphics drivers because devs are working on fixing bugs in the code. I recommend not using secure boot on Debian testing. If you absolutely have to have this then you can try fiddling around with the below guide, or using Debian or Ubuntu stable. I tried it for a few years but it was always annoying and provided no tangible benefit.

DATE CHECKED THIS PAGE WAS VALID: 30/08/2023

Ok So it was possible to get secure boot working. It took me a long time as I didnt fully understand what was happening.

I did follow https://wiki.debian.org/SecureBoot so you should 100% check that out also, but essentially the first part (kernel signed) wasnt too hard. I got stuck on the Nvidia part.

First thing you want to do is make sure you have nvidia drivers installed and working before moving onto secure boot so that you know everything works with it disabled, and then you move onto turning it on and resolving the various problems as they arise.

So you will want secureboot to be on and booted when configuring this all going forward after checking the system is working perfectly barring secureboot. On my system after enabling it I got an error either just before or just after grub warning me (I forget which) the OS had been changed/untrusted (because the BIOS didnt know to trust grub/linux kernel it was booting) but I resolved it this way:

First check its booted into secure boot (ie you changed your bios to enable it)

sudo mokutil --sb-state

Should say “SecureBoot enabled” when you enter that command.

Like debian suggests check first there are no mok keys:

ls /var/lib/shim-signed/mok/

If there are keys but you want to start again you can delete them and also clear any secure boot config in your bios, as you have to clear things both sides to truly start again, but if you dont have any listed in that directory you can generate some new ones, or try using the ones already there. Note: If you already have keys and just updated your drivers and they stopped working (ie are no longer signed) just move on to the section below where you sign them again.

So if you need to generate new then the Debian guide is accurate (type one line at a time only and hit return after):

mkdir -p /var/lib/shim-signed/mok/
cd /var/lib/shim-signed/mok/
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/"
openssl x509 -inform der -in MOK.der -out MOK.pem

Then import the key:

sudo mokutil --import MOK.der

You must type a password here that you remember as you need to type it into the bios also when you reboot. I used an 8 character password in case there was a length limit.

sudo mokutil --list-new

Once you reboot the machine at this point you will be asked to enter the mok key by the box's bios. You need to complete this correctly so the bios trusts the debian install and you can boot it without getting an error.

So to reiterate, this part worked fine for me following debians wiki and I didnt get stuck at all here. It was only the nvidia part I got stuck on.

So once booted (and you dont get an untrusted OS error) we can now make Nvidia drivers work. This part I got stuck on and this is how I resolved it. I personally had no issues getting the system to boot fine with secure boot but the nvidia driver wouldnt load and I only got the intel card listed under gnome settings and the command “nvidia-smi” couldnt find the nvidia card.

Here I made sure my nvidia drivers were installed perfectly before continuing:

sudo apt-get install nvidia-settings nvidia-kernel-dkms nvidia-cuda-mps nvidia-driver nvidia-cuda-mps vulkan-tools firmware-linux firmware-linux-nonfree firmware-misc-nonfree nvidia-kernel-dkms 

This made sure I had all the packages I needed. I believe you should be able to use the command “sudo dkms status” to check modules but I didnt need to do that/it provided no useful information for me personally.

Note: If you just updated your drivers and they stopped working (ie are no longer signed) just sign them again as per the below (assume sbssigntool is already installed and skip that line). Once I had this all in place I then typed this in the terminal (ONE LINE AT A TIME):

VERSION="$(uname -r)"
SHORT_VERSION="$(uname -r | cut -d . -f 1-2)"
MODULES_DIR=/lib/modules/$VERSION
KBUILD_DIR=/usr/lib/linux-kbuild-$SHORT_VERSION
cd "$MODULES_DIR/updates/dkms"
sudo apt-get install sbsigntool 

CRITICAL NOTE!!!!!!!!! ON DEBIAN 12 THERE WAS A CHANGE WHERE THIS PART OF THE SCRIPT INCORRECTLY GETS THE DIRECTORY:

uname -r | cut -d . -f 1-2

This means that ls /usr/lib/linux-kbuild-$SHORT_VERSION produces an error as the directory does not exist. Instead use something like:

SHORT_VERSION="$(uname -r | cut -d - -f 1-2)"

This means “ls /usr/lib/linux-kbuild-$SHORT_VERSION” can provide a valid directory. This might keep changing I am unsure so leaving this up. If you blindly copy and paste without checking the directory exists you will get errors like sudo: /usr/lib/linux-kbuild-6.4/scripts/sign-file: command not found

Very important - after you type the next command it asks you for a password, but its not obvious that its asking for a password, the terminal just sits and waits for input. Use the same password you used before when setting up Mok for the BIOS to avoid confusion:

read -s KBUILD_SIGN_PIN

Make sure you type the password carefully here with no errors, and dont get confused by it just waiting.

Next export it and sign all modules (remember one line at a time when entering commands):

export KBUILD_SIGN_PIN
for i in *.ko ; do sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der "$i" ; done

Assuming you type the password correct, you wont get any errors. You should be able to now see that a module is signed. You can pick any module in that directory but as an example:

sudo modinfo nvidia-tesla-510-drm.ko

NOTE: Filename may be different just use tab completion to find appropriate file to check eg even nvidia-current-drm or some other name.

Above assumes you have that particular driver installed but just check a different file/version if you dont.

If you now reboot the machine it should have everything it needs to secure boot the nvidia driver.

I checked it was all working after reboot with:

nvidia-smi
sudo mokutil --sb-state

Sorry I realise this guide is a little rough around the edges, I had to write up a lot from memory but this is essentially how I did it.

P

Edit: Just wanted to show what a signed module looks like, note there is a signature with some signed information: