Make Debian Fun Again And Learn How To Do Other Cool Stuff Too

User Tools

Site Tools

Trace:
start:issecurebootworking

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
start:issecurebootworking [2022/05/16 16:45] peterstart:issecurebootworking [2024/04/24 13:27] (current) admin
Line 1: Line 1:
 +NOTE ON 24-April-2024
 +Honestly secure boot is super annoying on Debian. In Ubuntu its automatic, but Debian everytime there is a kernel or Nvidia driver update you have to manually resign all the drivers which I find of questionable value. Im not sure what security benefit is actually being achieved here, at high cost and annoyance. Also the signing code has stopped working due to some bug at the moment so its not even super reliable when you cant sign your graphics drivers because devs are working on fixing bugs in the code. I recommend not using secure boot on Debian testing. If you absolutely have to have this then you can try fiddling around with the below guide, or using Debian or Ubuntu stable. I tried it for a few years but it was always annoying and provided no tangible benefit.
 +
 +DATE CHECKED THIS PAGE WAS VALID: 30/08/2023 
 +
 Ok So it was possible to get secure boot working. It took me a long time as I didnt fully understand what was happening. Ok So it was possible to get secure boot working. It took me a long time as I didnt fully understand what was happening.
  
Line 20: Line 25:
  
 If there are keys but you want to start again you can delete them and also clear any secure boot config in your bios, as you have to clear things both sides to truly start again, but if you dont have any listed in that directory you can generate some new ones, or try using the ones already there. If there are keys but you want to start again you can delete them and also clear any secure boot config in your bios, as you have to clear things both sides to truly start again, but if you dont have any listed in that directory you can generate some new ones, or try using the ones already there.
 +Note: If you already have keys and just updated your drivers and they stopped working (ie are no longer signed) just move on to the section below where you sign them again.
  
-So if you need to generate new then the Debian guide is accurate:+So if you need to generate new then the Debian guide is accurate (type one line at a time only and hit return after):
  
 <code> <code>
Line 42: Line 48:
 Once you reboot the machine at this point you will be asked to enter the mok key by the box's bios. You need to complete this correctly so the bios trusts the debian install and you can boot it without getting an error. Once you reboot the machine at this point you will be asked to enter the mok key by the box's bios. You need to complete this correctly so the bios trusts the debian install and you can boot it without getting an error.
  
-Once booted (and you dont get an untrusted OS error) we can make Nvidia drivers work. This part I got stuck on and this is how I resolved it. I personally had no issues getting the system to boot fine with secure boot but the nvidia driver wouldnt load and I only got the intel card listed under gnome settings and the command "nvidia-smi" couldnt find the nvidia card.+So to reiterate, this part worked fine for me following debians wiki and I didnt get stuck at all here. It was only the nvidia part I got stuck on. 
 + 
 +So once booted (and you dont get an untrusted OS error) we can now make Nvidia drivers work. This part I got stuck on and this is how I resolved it. I personally had no issues getting the system to boot fine with secure boot but the nvidia driver wouldnt load and I only got the intel card listed under gnome settings and the command "nvidia-smi" couldnt find the nvidia card.
  
 Here I made sure my nvidia drivers were installed perfectly before continuing: Here I made sure my nvidia drivers were installed perfectly before continuing:
Line 51: Line 59:
 This made sure I had all the packages I needed. I believe you should be able to use the command "sudo dkms status" to check modules but I didnt need to do that/it provided no useful information for me personally. This made sure I had all the packages I needed. I believe you should be able to use the command "sudo dkms status" to check modules but I didnt need to do that/it provided no useful information for me personally.
  
-Once I had this all in place I then typed this in the terminal:+Note: If you just updated your drivers and they stopped working (ie are no longer signed) just sign them again as per the below (assume sbssigntool is already installed and skip that line). 
 +Once I had this all in place I then typed this in the terminal (ONE LINE AT A TIME):
  
 <code> <code>
Line 62: Line 71:
 </code> </code>
  
-Very important - after you type the next command it asks you for a password, but its not obvious that its asking for a password, the terminal just sits and waits for input. Us the same password you used before when setting up Mok for the BIOS to avoid confusion:+**CRITICAL NOTE!!!!!!!!! 
 +ON DEBIAN 12 THERE WAS A CHANGE WHERE THIS PART OF THE SCRIPT INCORRECTLY GETS THE DIRECTORY:** 
 +<code> 
 +uname -r | cut -d . -f 1-2 
 +</code> 
 +This means that ls /usr/lib/linux-kbuild-$SHORT_VERSION produces an error as the directory does not exist. Instead use something like: 
 +<code> 
 +SHORT_VERSION="$(uname -r | cut -d - -f 1-2)" 
 +</code> 
 +This means "ls /usr/lib/linux-kbuild-$SHORT_VERSION" can provide a valid directory. This might keep changing I am unsure so leaving this up. If you blindly copy and paste without checking the directory exists you will get errors like sudo: /usr/lib/linux-kbuild-6.4/scripts/sign-file: command not found 
 + 
 + 
 +Very important - after you type the next command it asks you for a password, but its not obvious that its asking for a password, the terminal just sits and waits for input. Use the same password you used before when setting up Mok for the BIOS to avoid confusion:
  
 <code> <code>
Line 70: Line 91:
 Make sure you type the password carefully here with no errors, and dont get confused by it just waiting. Make sure you type the password carefully here with no errors, and dont get confused by it just waiting.
  
-Next export it and sign all modules:+Next export it and sign all modules (remember one line at a time when entering commands):
 <code> <code>
 export KBUILD_SIGN_PIN export KBUILD_SIGN_PIN
Line 76: Line 97:
 </code> </code>
  
-You should be able to now see that a module is signed. You can pick any mdule in that directory but as an example:+Assuming you type the password correct, you wont get any errors. 
 +You should be able to now see that a module is signed. You can pick any module in that directory but as an example:
 <code> <code>
 sudo modinfo nvidia-tesla-510-drm.ko sudo modinfo nvidia-tesla-510-drm.ko
 </code> </code>
 +NOTE: Filename may be different just use tab completion to find appropriate file to check eg even nvidia-current-drm or some other name.
  
 Above assumes you have that particular driver installed but just check a different file/version if you dont. Above assumes you have that particular driver installed but just check a different file/version if you dont.
Line 92: Line 115:
 </code> </code>
  
 +{{:images:securebootproof.png|}}
  
 +Sorry I realise this guide is a little rough around the edges, I had to write up a lot from memory but this is essentially how I did it.
  
 +P
  
  
 +Edit: Just wanted to show what a signed module looks like, note there is a signature with some signed information:
 +{{:images:signedexamplenvidia.png|}}
start/issecurebootworking.1652719551.txt.gz · Last modified: 2022/05/16 16:45 by peter

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki