This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
start:issecurebootworking [2022/03/23 15:07] – created peter | start:issecurebootworking [2024/04/24 13:27] (current) – admin | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | Secure | + | NOTE ON 24-April-2024 |
+ | Honestly secure | ||
+ | |||
+ | DATE CHECKED THIS PAGE WAS VALID: 30/08/2023 | ||
+ | |||
+ | Ok So it was possible to get secure boot working. It took me a long time as I didnt fully understand what was happening. | ||
+ | |||
+ | I did follow https:// | ||
+ | |||
+ | First thing you want to do is make sure you have nvidia drivers installed and working before moving onto secure boot so that you know everything works with it disabled, and then you move onto turning it on and resolving the various problems as they arise. | ||
+ | |||
+ | So you will want secureboot to be on and booted | ||
+ | |||
+ | First check its booted into secure boot (ie you changed your bios to enable it) | ||
+ | |||
+ | < | ||
+ | sudo mokutil --sb-state | ||
+ | </ | ||
+ | Should say " | ||
+ | |||
+ | Like debian suggests check first there are no mok keys: | ||
+ | < | ||
+ | ls / | ||
+ | </ | ||
+ | |||
+ | If there are keys but you want to start again you can delete them and also clear any secure boot config in your bios, as you have to clear things both sides to truly start again, but if you dont have any listed in that directory you can generate some new ones, or try using the ones already there. | ||
+ | Note: If you already have keys and just updated your drivers and they stopped | ||
+ | |||
+ | So if you need to generate new then the Debian guide is accurate (type one line at a time only and hit return after): | ||
+ | |||
+ | < | ||
+ | mkdir -p / | ||
+ | cd / | ||
+ | openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/ | ||
+ | openssl x509 -inform der -in MOK.der -out MOK.pem | ||
+ | </ | ||
+ | |||
+ | Then import the key: | ||
+ | < | ||
+ | sudo mokutil --import MOK.der | ||
+ | </ | ||
+ | You must type a password here that you remember as you need to type it into the bios also when you reboot. I used an 8 character password in case there was a length limit. | ||
+ | |||
+ | < | ||
+ | sudo mokutil --list-new | ||
+ | </ | ||
+ | |||
+ | Once you reboot the machine at this point you will be asked to enter the mok key by the box's bios. You need to complete this correctly so the bios trusts the debian install and you can boot it without getting an error. | ||
+ | |||
+ | So to reiterate, this part worked fine for me following debians wiki and I didnt get stuck at all here. It was only the nvidia part I got stuck on. | ||
+ | |||
+ | So once booted (and you dont get an untrusted OS error) we can now make Nvidia drivers work. This part I got stuck on and this is how I resolved it. I personally had no issues getting the system to boot fine with secure boot but the nvidia driver wouldnt load and I only got the intel card listed under gnome settings and the command " | ||
+ | |||
+ | Here I made sure my nvidia drivers were installed perfectly before continuing: | ||
+ | < | ||
+ | sudo apt-get install nvidia-settings nvidia-kernel-dkms nvidia-cuda-mps nvidia-driver nvidia-cuda-mps vulkan-tools firmware-linux firmware-linux-nonfree firmware-misc-nonfree nvidia-kernel-dkms | ||
+ | </ | ||
+ | |||
+ | This made sure I had all the packages I needed. I believe you should be able to use the command "sudo dkms status" | ||
+ | |||
+ | Note: If you just updated your drivers and they stopped working (ie are no longer signed) just sign them again as per the below (assume sbssigntool | ||
+ | Once I had this all in place I then typed this in the terminal (ONE LINE AT A TIME): | ||
+ | |||
+ | < | ||
+ | VERSION=" | ||
+ | SHORT_VERSION=" | ||
+ | MODULES_DIR=/ | ||
+ | KBUILD_DIR=/ | ||
+ | cd " | ||
+ | sudo apt-get install sbsigntool | ||
+ | </ | ||
+ | |||
+ | **CRITICAL NOTE!!!!!!!!! | ||
+ | ON DEBIAN 12 THERE WAS A CHANGE WHERE THIS PART OF THE SCRIPT INCORRECTLY GETS THE DIRECTORY: | ||
+ | < | ||
+ | uname -r | cut -d . -f 1-2 | ||
+ | </ | ||
+ | This means that ls / | ||
+ | < | ||
+ | SHORT_VERSION=" | ||
+ | </ | ||
+ | This means "ls / | ||
+ | |||
+ | |||
+ | Very important - after you type the next command it asks you for a password, but its not obvious that its asking for a password, the terminal just sits and waits for input. Use the same password you used before when setting up Mok for the BIOS to avoid confusion: | ||
+ | |||
+ | < | ||
+ | read -s KBUILD_SIGN_PIN | ||
+ | </ | ||
+ | |||
+ | Make sure you type the password carefully here with no errors, and dont get confused by it just waiting. | ||
+ | |||
+ | Next export it and sign all modules (remember one line at a time when entering commands): | ||
+ | < | ||
+ | export KBUILD_SIGN_PIN | ||
+ | for i in *.ko ; do sudo --preserve-env=KBUILD_SIGN_PIN " | ||
+ | </ | ||
+ | |||
+ | Assuming you type the password correct, you wont get any errors. | ||
+ | You should be able to now see that a module is signed. You can pick any module | ||
+ | < | ||
+ | sudo modinfo nvidia-tesla-510-drm.ko | ||
+ | </ | ||
+ | NOTE: Filename may be different just use tab completion to find appropriate file to check eg even nvidia-current-drm or some other name. | ||
+ | |||
+ | Above assumes you have that particular driver installed but just check a different file/ | ||
+ | |||
+ | If you now reboot | ||
+ | |||
+ | I checked it was all working after reboot with: | ||
+ | |||
+ | < | ||
+ | nvidia-smi | ||
+ | sudo mokutil --sb-state | ||
+ | </ | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Sorry I realise this guide is a little rough around the edges, I had to write up a lot from memory but this is essentially how I did it. | ||
+ | |||
+ | P | ||
+ | |||
+ | |||
+ | Edit: Just wanted to show what a signed module looks like, note there is a signature with some signed information: | ||
+ | {{: |