This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
start:issecurebootworking [2022/05/16 16:57] – peter | start:issecurebootworking [2024/04/24 13:27] (current) – admin | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | NOTE ON 24-April-2024 | ||
+ | Honestly secure boot is super annoying on Debian. In Ubuntu its automatic, but Debian everytime there is a kernel or Nvidia driver update you have to manually resign all the drivers which I find of questionable value. Im not sure what security benefit is actually being achieved here, at high cost and annoyance. Also the signing code has stopped working due to some bug at the moment so its not even super reliable when you cant sign your graphics drivers because devs are working on fixing bugs in the code. I recommend not using secure boot on Debian testing. If you absolutely have to have this then you can try fiddling around with the below guide, or using Debian or Ubuntu stable. I tried it for a few years but it was always annoying and provided no tangible benefit. | ||
+ | |||
+ | DATE CHECKED THIS PAGE WAS VALID: 30/ | ||
+ | |||
Ok So it was possible to get secure boot working. It took me a long time as I didnt fully understand what was happening. | Ok So it was possible to get secure boot working. It took me a long time as I didnt fully understand what was happening. | ||
Line 20: | Line 25: | ||
If there are keys but you want to start again you can delete them and also clear any secure boot config in your bios, as you have to clear things both sides to truly start again, but if you dont have any listed in that directory you can generate some new ones, or try using the ones already there. | If there are keys but you want to start again you can delete them and also clear any secure boot config in your bios, as you have to clear things both sides to truly start again, but if you dont have any listed in that directory you can generate some new ones, or try using the ones already there. | ||
+ | Note: If you already have keys and just updated your drivers and they stopped working (ie are no longer signed) just move on to the section below where you sign them again. | ||
So if you need to generate new then the Debian guide is accurate (type one line at a time only and hit return after): | So if you need to generate new then the Debian guide is accurate (type one line at a time only and hit return after): | ||
Line 53: | Line 59: | ||
This made sure I had all the packages I needed. I believe you should be able to use the command "sudo dkms status" | This made sure I had all the packages I needed. I believe you should be able to use the command "sudo dkms status" | ||
+ | Note: If you just updated your drivers and they stopped working (ie are no longer signed) just sign them again as per the below (assume sbssigntool is already installed and skip that line). | ||
Once I had this all in place I then typed this in the terminal (ONE LINE AT A TIME): | Once I had this all in place I then typed this in the terminal (ONE LINE AT A TIME): | ||
Line 64: | Line 71: | ||
</ | </ | ||
- | Very important - after you type the next command it asks you for a password, but its not obvious that its asking for a password, the terminal just sits and waits for input. | + | **CRITICAL NOTE!!!!!!!!! |
+ | ON DEBIAN 12 THERE WAS A CHANGE WHERE THIS PART OF THE SCRIPT INCORRECTLY GETS THE DIRECTORY: | ||
+ | < | ||
+ | uname -r | cut -d . -f 1-2 | ||
+ | </ | ||
+ | This means that ls / | ||
+ | < | ||
+ | SHORT_VERSION=" | ||
+ | </ | ||
+ | This means "ls / | ||
+ | |||
+ | |||
+ | Very important - after you type the next command it asks you for a password, but its not obvious that its asking for a password, the terminal just sits and waits for input. | ||
< | < | ||
Line 72: | Line 91: | ||
Make sure you type the password carefully here with no errors, and dont get confused by it just waiting. | Make sure you type the password carefully here with no errors, and dont get confused by it just waiting. | ||
- | Next export it and sign all modules: | + | Next export it and sign all modules |
< | < | ||
export KBUILD_SIGN_PIN | export KBUILD_SIGN_PIN | ||
Line 78: | Line 97: | ||
</ | </ | ||
+ | Assuming you type the password correct, you wont get any errors. | ||
You should be able to now see that a module is signed. You can pick any module in that directory but as an example: | You should be able to now see that a module is signed. You can pick any module in that directory but as an example: | ||
< | < | ||
sudo modinfo nvidia-tesla-510-drm.ko | sudo modinfo nvidia-tesla-510-drm.ko | ||
</ | </ | ||
+ | NOTE: Filename may be different just use tab completion to find appropriate file to check eg even nvidia-current-drm or some other name. | ||
Above assumes you have that particular driver installed but just check a different file/ | Above assumes you have that particular driver installed but just check a different file/ | ||
Line 94: | Line 115: | ||
</ | </ | ||
- | {{: | + | {{: |
Sorry I realise this guide is a little rough around the edges, I had to write up a lot from memory but this is essentially how I did it. | Sorry I realise this guide is a little rough around the edges, I had to write up a lot from memory but this is essentially how I did it. | ||
P | P | ||
+ | |||
+ | |||
+ | Edit: Just wanted to show what a signed module looks like, note there is a signature with some signed information: | ||
+ | {{: |