This is an old revision of the document!
Ok So it was possible to get secure boot working. It took me a long time as I didnt fully understand what was happening.
I did follow https://wiki.debian.org/SecureBoot so you should 100% check that out also, but essentially the first part (kernel signed) wasnt too hard. i got stuck on the Nvidia part.
So indeed you want secureboot to be on and booted. On my system I got an error either just before or just after grub warning me the OS had been changed (because the BIOS didnt know to trust grub) but I resolved it this way.
First check its booted into secure boot (ie you changed your bios to enable it)
sudo mokutil --sb-state
Should say “SecureBoot enabled” when you enter that command.
Like debian suggests check first there are no mok keys:
ls /var/lib/shim-signed/mok/
If there are keys but you want to start again you can delete them and also clear any secure boot config in your bios, as you have to clear things both sides to truly start again, but if you dont have any listed in that directory you can generate some new ones, or try using the ones already there.
So if you need to generate new then the debian guide is accurate:
mkdir -p /var/lib/shim-signed/mok/ cd /var/lib/shim-signed/mok/ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/" openssl x509 -inform der -in MOK.der -out MOK.pem
