|
Size: 2137
Comment:
|
Size: 2134
Comment: fix typo https://codesearch.debian.net/search?q=Enrol.*+key+from+disk
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| Line 50: | Line 49: |
| * Select the option {{{Enrolll key from disk}}}. | * Select the option {{{Enroll key from disk}}}. |
For testing the secure boot feature on a real hardware, the steps below were followed:
1. First of all, a system running an up-to-date Debian unstable is needed
2. Install shim, grub and linux signed packages from unstable:
1 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-1-amd64
3. Download the test certificate:
1 $ wget https://salsa.debian.org/kernel-team/linux/raw/debian/4.19.9-1/debian/certs/test-signing-certs.pem
4. Convert the cerficate to DER format:
1 $ openssl x509 -outform der -in test-signing-certs.pem -out test-signing-certs.der
5. Import the test DER certificate as a MOK (Machine Owner Key). We have two ways of doing that:
- a) Install mokutil and import the certificate using it:
- The last command may require a password to manage the keys and certificates.
b) Place the certificate in /boot/efi/EFI/debian and add it using the graphic interface provided by shim. Select to boot from EFI shell and run the following command:
Shell> fs0:\EFI\debian\mmx64.efi
- Then, perfom the actions below:
Select the option Enroll key from disk.
- Select the disk option that represents your EFI partition.
Go to EFI/debian directory.
Select test-signing-certs.der.
Select Continue and confirm the action (Yes).
Now, our test certificate is enrolled and you can select Continue boot. To exit from EFI shell run:
Shell> exit
6. Enable Secure boot
7. Reboot the machine and enjoy the Secure boot feature 
Do not forget to check if grub is loading the signed linux image 4.19.0-1-amd64
The steps above were performed in the following hardware until now:
?ThinkPad X230
- Minnowboard Turbot