Test procedure on an existing installation

This writeup only works if you have an already-installed and running system.

For testing the secure boot feature on a real hardware, the steps below were followed:

1. First of all, a system running an up-to-date Debian unstable is needed

As of 20190207, the firmware-buster-DI-alpha5-amd64-netinst ISO will not boot if UEFI secureboot is enabled*

* Tested on Dell ?PowerEdge R630

2. Install shim, grub and linux signed packages from unstable:

   1 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-3-amd64

3. Download the test certificate:

   1 $ wget https://salsa.debian.org/kernel-team/linux/raw/debian/4.19.9-1/debian/certs/test-signing-certs.pem

4. Convert the cerficate to DER format:

   1 $ openssl x509 -outform der -in test-signing-certs.pem -out test-signing-certs.der

5. Import the test DER certificate as a MOK (Machine Owner Key). There are 2 steps to follow :

   1 $ mokutil --import test-signing-certs.der

Shell> fs0:\EFI\debian\mmx64.efi

Shell> exit

6. Enable Secure boot

7. Reboot the machine and enjoy the Secure boot feature :)

Do not forget to check if grub is loading the signed linux image 4.19.0-1-amd64. You can also run the following command to check the Secure Boot status :

   1 $ mokutil --sb-state

Tested hardware

The steps above were performed in the following hardware until now:

Buster installer images

Since 14th Jan 2019, our normal daily and weekly amd64 debian-installer images should boot and install correctly with Secure Boot enabled so long as the test key is already imported for MOK to use. This includes the d-i buster alpha 5 release.

See

If you test with one of these, please note the exact version (date) that you used.

Tested hardware

  1. Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) boots fine, installs fine using netinst and xfce CD images from 2019-01-14

  2. Minnowboard Turbot (boots and installs fine with the netinst image from 2019-01-16)

Buster live images

Since 16th Jan 2019, our normal weekly amd64 live images should live-boot with Secure Boot enabled so long as the test key is already imported for MOK to use. This includes the d-i buster alpha 5 release..They should also support installation of a Secure Boot enabled system directly.

See https://get.debian.org/images/weekly-live-builds/

If you test with one of these, please note the exact version (date) that you used.

Tested hardware

  1. Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) live-boots and installation works fine with gnome live image from 2019-01-16.

  2. Minnowboard Turbot (live-boots and installs fine with gnome live image from 2019-01-17)