Differences between revisions 2 and 3
Revision 2 as of 2018-12-21 12:11:35
Size: 2137
Editor: ?LucasKanashiro
Revision 3 as of 2018-12-22 00:03:15
Size: 2134
Editor: PaulWise
Comment: fix typo https://codesearch.debian.net/search?q=Enrol.*+key+from+disk
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Line 50: Line 49:
            * Select the option {{{Enrolll key from disk}}}.             * Select the option {{{Enroll key from disk}}}.

For testing the secure boot feature on a real hardware, the steps below were followed:

1. First of all, a system running an up-to-date Debian unstable is needed

2. Install shim, grub and linux signed packages from unstable:

   1 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-1-amd64

3. Download the test certificate:

   1 $ wget https://salsa.debian.org/kernel-team/linux/raw/debian/4.19.9-1/debian/certs/test-signing-certs.pem

4. Convert the cerficate to DER format:

   1 $ openssl x509 -outform der -in test-signing-certs.pem -out test-signing-certs.der

5. Import the test DER certificate as a MOK (Machine Owner Key). We have two ways of doing that:

  • a) Install mokutil and import the certificate using it:

   1 $ apt install mokutil
   2 $ mokutil --import test-signing-certs.der
  • The last command may require a password to manage the keys and certificates.
  • b) Place the certificate in /boot/efi/EFI/debian and add it using the graphic interface provided by shim. Select to boot from EFI shell and run the following command:

Shell> fs0:\EFI\debian\mmx64.efi
  • Then, perfom the actions below:
    • Select the option Enroll key from disk.

    • Select the disk option that represents your EFI partition.
    • Go to EFI/debian directory.

    • Select test-signing-certs.der.

    • Select Continue and confirm the action (Yes).

  • Now, our test certificate is enrolled and you can select Continue boot. To exit from EFI shell run:

Shell> exit

6. Enable Secure boot

7. Reboot the machine and enjoy the Secure boot feature :)

Do not forget to check if grub is loading the signed linux image 4.19.0-1-amd64

The steps above were performed in the following hardware until now:

  • ?ThinkPad X230

  • Minnowboard Turbot