Make Debian Fun Again And Learn How To Do Other Cool Stuff Too

User Tools

Site Tools

Trace:
start:issecurebootworking

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
start:issecurebootworking [2022/09/11 13:10] peterstart:issecurebootworking [2024/04/24 13:27] (current) admin
Line 1: Line 1:
 +NOTE ON 24-April-2024
 +Honestly secure boot is super annoying on Debian. In Ubuntu its automatic, but Debian everytime there is a kernel or Nvidia driver update you have to manually resign all the drivers which I find of questionable value. Im not sure what security benefit is actually being achieved here, at high cost and annoyance. Also the signing code has stopped working due to some bug at the moment so its not even super reliable when you cant sign your graphics drivers because devs are working on fixing bugs in the code. I recommend not using secure boot on Debian testing. If you absolutely have to have this then you can try fiddling around with the below guide, or using Debian or Ubuntu stable. I tried it for a few years but it was always annoying and provided no tangible benefit.
 +
 +DATE CHECKED THIS PAGE WAS VALID: 30/08/2023 
 +
 Ok So it was possible to get secure boot working. It took me a long time as I didnt fully understand what was happening. Ok So it was possible to get secure boot working. It took me a long time as I didnt fully understand what was happening.
  
Line 66: Line 71:
 </code> </code>
  
-Very important - after you type the next command it asks you for a password, but its not obvious that its asking for a password, the terminal just sits and waits for input. Us the same password you used before when setting up Mok for the BIOS to avoid confusion:+**CRITICAL NOTE!!!!!!!!! 
 +ON DEBIAN 12 THERE WAS A CHANGE WHERE THIS PART OF THE SCRIPT INCORRECTLY GETS THE DIRECTORY:** 
 +<code> 
 +uname -r | cut -d . -f 1-2 
 +</code> 
 +This means that ls /usr/lib/linux-kbuild-$SHORT_VERSION produces an error as the directory does not exist. Instead use something like: 
 +<code> 
 +SHORT_VERSION="$(uname -r | cut -d - -f 1-2)" 
 +</code> 
 +This means "ls /usr/lib/linux-kbuild-$SHORT_VERSION" can provide a valid directory. This might keep changing I am unsure so leaving this up. If you blindly copy and paste without checking the directory exists you will get errors like sudo: /usr/lib/linux-kbuild-6.4/scripts/sign-file: command not found 
 + 
 + 
 +Very important - after you type the next command it asks you for a password, but its not obvious that its asking for a password, the terminal just sits and waits for input. Use the same password you used before when setting up Mok for the BIOS to avoid confusion:
  
 <code> <code>
Line 85: Line 102:
 sudo modinfo nvidia-tesla-510-drm.ko sudo modinfo nvidia-tesla-510-drm.ko
 </code> </code>
-NOTE: Filename may be different just use tab completion to find appropriate file to check.+NOTE: Filename may be different just use tab completion to find appropriate file to check eg even nvidia-current-drm or some other name.
  
 Above assumes you have that particular driver installed but just check a different file/version if you dont. Above assumes you have that particular driver installed but just check a different file/version if you dont.
start/issecurebootworking.1662901853.txt.gz · Last modified: 2022/09/11 13:10 by peter

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki