/!\ This page used to describe testing Secure Boot in Debian when we were still using a temporary test key. We have now enabled signing with our production key, meaning a lot of the previous steps are now un-necessary.

Test procedure on an existing installation

This writeup only works if you have an already-installed and running system.

For testing the secure boot feature on a real hardware, the steps below were followed:

1. First of all, a system running an up-to-date Debian unstable or buster is needed. The following assumes an amd64 system, which is most likely.

2. Install the signed shim, grub and linux signed packages:

   1 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-4-amd64

3. Enable Secure boot

4. Reboot the machine and enjoy the Secure boot feature :)

Do not forget to check if grub is loading the signed linux image 4.19.0-4-amd64. You can also run the following command to check the Secure Boot status :

   1 $ mokutil --sb-state

Tested hardware (testing key)

The initial testing steps were performed in the following hardware until now:

Tested hardware (production key)

Buster installer images

Since 14th Jan 2019, our normal daily and weekly amd64 debian-installer images should boot and install correctly with Secure Boot enabled so long as the test key is already imported for MOK to use. This includes the d-i buster alpha 5 release.

If you test with one of these, please note the exact version (date) that you used.

Since the d-i buster alpha RC1 release, we have been using production keys and all our installer images should work out of the box with Secure Boot enabled.

See

Tested hardware (testing key)

Tested hardware (production key)

Buster live images

Since 16th Jan 2019, our normal weekly amd64 live images should live-boot with Secure Boot enabled so long as the test key is already imported for MOK to use. This includes the d-i buster alpha 5 release. Weekly live builds since at least 1st April 2019 should work without needing the test key.

They should also support installation of a Secure Boot enabled system directly.

See https://get.debian.org/images/weekly-live-builds/

If you test with one of these, please note the exact version (date) that you used.

Tested hardware (testing key)

Tested hardware (production key)