Differences between revisions 2 and 54 (spanning 52 versions)
Revision 2 as of 2018-12-21 12:11:35
Size: 2137
Editor: ?LucasKanashiro
Comment:
Revision 54 as of 2021-02-25 21:21:47
Size: 10751
Editor: ?SalvatoreBonaccorso
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
<<TableOfContents()>>
Line 2: Line 3:
/!\ '''This page used to describe testing Secure Boot in Debian when
we were still using a temporary test key. We have now enabled
signing with our production key, meaning a lot of the previous
steps are now un-necessary.'''

= Test procedure on an existing installation =

{{{#!wiki note
This writeup only works if you have an already-installed and running system.
}}}
Line 5: Line 16:
1. First of all, a system running an up-to-date Debian unstable or buster is needed. The following assumes an amd64 system, which is most likely.
Line 6: Line 18:
1. First of all, a system running an up-to-date Debian unstable is needed

2. Install shim, grub and linux signed packages from unstable:
2. Install the signed shim, grub and linux signed packages:
Line 11: Line 21:
$ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-1-amd64 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-4-amd64
Line 14: Line 24:
3. Download the test certificate:
    
3. Enable {{{Secure boot}}}

4. Reboot the machine and enjoy the Secure boot feature :)


Do not forget to check if grub is loading the signed {{{linux image 4.19.0-4-amd64}}}. You can also run the following command to check the Secure Boot status :
Line 17: Line 31:
$ wget https://salsa.debian.org/kernel-team/linux/raw/debian/4.19.9-1/debian/certs/test-signing-certs.pem $ mokutil --sb-state
Line 20: Line 34:
4. Convert the cerficate to DER format:
    
{{{#!highlight bash
$ openssl x509 -outform der -in test-signing-certs.pem -out test-signing-certs.der
}}}
== Tested hardware (testing key) ==
Line 26: Line 36:
5. Import the test DER certificate as a MOK (Machine Owner Key). We have two ways of doing that:
    
    a) Install mokutil and import the certificate using it:
        
{{{#!highlight bash
$ apt install mokutil
$ mokutil --import test-signing-certs.der
}}}
    
       The last command may require a password to manage the keys and certificates.
    
    
    b) Place the certificate in {{{/boot/efi/EFI/debian}}} and add it using the graphic interface provided by shim.
   
 
    Select to boot from EFI shell and run the following command:
        
{{{
Shell> fs0:\EFI\debian\mmx64.efi
}}}
    
        Then, perfom the actions below:
        

            * Select the option {{{Enrolll key from disk}}}.

            * Select the disk option that represents your EFI partition.

            * Go to {{{EFI/debian}}} directory.

            * Select {{{test-signing-certs.der}}}.

            * Select {{{Continue}}} and confirm the action ({{{Yes}}}).

    
    Now, our test certificate is enrolled and you can select {{{Continue boot}}}. To exit from EFI shell run:

{{{
Shell> exit
}}}

6. Enable {{{Secure boot}}}

7. Reboot the machine and enjoy the Secure boot feature :)


Do not forget to check if grub is loading the signed {{{linux image 4.19.0-1-amd64}}}


The steps above were performed in the following hardware until now:
The initial testing steps were performed in the following hardware until now:
Line 79: Line 40:
    * HP 250 G4 (using method b)
    * ASUS ZenBook Pro 15 UX550GE
    * ASUS VivoBook Pro NX580GD-E4359R
        * 5 {{{mokutil}}} throws an error message, but it seems it has worked
        * no password asked when enrolling keys
        * after enabling secure boot in bios and rebooting everything seems OK as {{{mokutil --sb-state}}} responds {{{SecureBoot enabled}}}

    * Dell XPS 13 2013 (L322X) '''failed at 5.'''
        * [2019-01-08] tested by coucouf
            * {{{mokutil}}} fails with message {{{Failed to enroll new keys}}} and return code {{{255}}} after giving a new password twice
            * no visible way to get to a UEFI shell on that machine for method b)
    * ThinkPad Yoga12
      * {{{mokutil}}} fails with {{{Failed to enroll new keys}}}
      * 5b works with a shell on Vfat-USB stick from https://github.com/tianocore/edk2/tree/master/ShellBinPkg/UefiShell/X64 saved in '''EFI/BOOT/Shellx64.efi''' and booted from USB stick. Then it is {{{
Shell> fs1:\EFI\debian\mmx64.efi
}}}
      * Bios setting Secure boot to Custom settings needed.
    * Home-build PC using AsRock mainboard (H97 Pro4 P1.60) (using method b)
    * ThinkPad T480
    * ThinkPad A285
      * [2019-01-09] tested by Haruki TSURUMOTO
        * {{{mokutil}}} was failed.
    * HP EliteBook 840 G3
      * 5a fails: {{{mokutil}}} fails with {{{Failed to enroll new keys}}}
      * 5b works. No EFI shell available by default, but it was possible to launch mmx64.efi via "Boot from file" in the boot menu.
    * Dell Inspiron 15 - 5547
      * 5a works
    * Schenker S403 (Clevo W840SN based)
      * Tested and works with {{{cat /etc/issue}}} : '''Debian GNU/Linux buster/sid'''
      1. {{{shim-signed}}} had to be installed; {{{grub-efi-amd64-signed linux-image-4.19.0-1-amd64}}} were already installed with default Debian Buster preview installer
      * 5b works, 5a possibly fails
      * 5a: {{{mokutil}}} fails with {{{Failed to enroll new keys}}}; moreover, trying {{{mokutil --password}}} fails with {{{Failed to write MokPW}}}
      * 5b:
        1. after copying the certificate {{{test-signing-certs.der}}} to {{{/boot/efi/EFI/debian}}} and rebooting the {{{mokmanager tool}}} launches and certificates waiting to be imported can be selected, i.e. it was not necessary to select a file
        1. However, i.a., it shows the following {{{
Issuer: CN=secure-boot-test-key-lfaraone
        Validity
            Not Before: Apr 8 09:46:38 2018 GMT
            Not After : May 8 09:46:38 2018 GMT
}}}
        1. Leaving the menus with escape key seemed to not stop the import
      * Anyway, after rebooting and enabling Secure Boot Custom, Grub boots Debian and {{{mokutil --sb-state}}} shows {{{SecureBoot enabled}}}
      * {{{mokutil --list-enrolled}}} lists two certificates:
        * the first one as above with {{{[key 1]}}}
        * the second one with {{{[key 2]}}} having, i.a., {{{
Issuer: CN=Debian Secure Boot CA
        Validity
            Not Before: Aug 16 18:09:18 2016 GMT
            Not After : Aug 9 18:09:18 2046 GMT

}}}
      * Last, {{{VirtualBox}}} seems to be broken due to missing {{{virtualbox-dkms}}}
    * ASUS UX561UAR
    * Supermicro A1SAi-2750F BIOS 2.1 (method 5b)
      BIOS Security -> Secure Boot menu
       1. Secure Boot Mode [Custom]
       1. Key Management -> Default Key Provision [Enabled]
       1. Secure Boot Mode [Standard] (optional)
       1. Secure Boot [Enabled]
    * ThinkPad X270
      1. In UEFI setup menu, enable Secure Boot and then Reset to Setup Mode.
      1. Install {{{shim-signed}}} and the other packages.
      1. {{{mokutil --import}}} will throw errors at you but it has worked...
      1. Reboot and enrol the key through shim.
      1. Go back to UEFI setup and Restore Factory Keys. This does not wipe the MOKs.
      1. You should now be able to boot normally, with Secure Boot enabled.
    * ThinkPad P52S
      1. {{{mokutil --import}}} throws an error but everything actually works fine.
    * Razer Blade Pro (2017) FHD (RZ09-02202E75)
      1. Not currently able to enable external monitor through HDMI, due to ''modprobe: ERROR: could not insert 'nvidia_current': Required key not available''
    * Dell G3 15-3779 Laptop
    * Acer Aspire 7 ([[https://www.acer.com/ac/de/DE/content/model/NX.GPFEG.007|A717-71G]], [[https://www.acer.com/ac/de/DE/content/support-product/7297?b=1|current BIOS version 1.21]])
      * Tested and works with with the Buster Sid image from March 18th 2019 ({{{cat /etc/issue}}} : '''Debian GNU/Linux buster/sid''')
      * '''Make sure, that all BitLocker keys for Windows are available offline!!!'''
      * '''The Windows Recovery console is always accessible from Windows > Settings > Update and Security > Recovery: Advanced startup > Restart now'''
      * fresh Debian installation using a DVD/USB image from March 18th 2019 works fine using secure boot; booting from Windows Recovery console ''Use a device > UEFI USB device''
      * after installation, disabling secure boot is necessary, otherwise a blue screen will pop up, telling, that access has been refused
        * '''don't be alarmed to be asked for the BitLocker key''': just quit and jump into the Recovery console following the links below the dialog, then choose ''Options''
        * access the BIOS from the Windows Recovery console: ''Troubleshoot > UEFI firmware settings''
        * set a BIOS password in the ''Security'' tab of the BIOS (necessary for the next step)
        * then change the value for Secure Boot in the ''Boot'' tab to ''disable''
        * save and exit (F10)
      * Boot into Debian
        * either it now boots directly into it after disabling secure boot or
        * if it boots Windows instead, boot Debian from the Windows Recovery console choosing ''Use a device > debian''
      * {{{shim-signed grub-efi-amd64-signed linux-image-4.19.0-1-amd64}}} were already installed in the Debian installation with the Debian Buster preview installer image used
      * 5a fails: {{{mokutil}}} fails with {{{Failed to enroll new keys}}}
      * 5b works:
        1. open the BIOS (see above)
        1. from the ''Security'' tab choose {{{Select an UEFI file as trusted for executing}}}, select ''debian/EFI/mmx64.efi'' and choose a name for the boot entry
        1. save & exit (F10) and reboot
        1. now boot this file: either
           * reboot into Windows recovery console and choose ''Use a device'' and select whatever name you've given this boot entry or
           * boot into the BIOS and change the Boot order or
           * use the Boot menu (never worked for me)
        1. a blue screen with a dialog pops up
        1. follow the dialog to add the DER certificate
        1. reboot
        1. enable secure boot by changing back the value in the ''Boot'' tab of the BIOS to ''enable''
        1. fix the boot order if necessary
           * the boot order chosen in the BIOS seems to have the most impact
           * the name of the Grub/Debian boot entry in the BIOS is unreadable tough
      * Booting into the Grub menu works fine now
      * no further issues so far
      * '''when booting into Windows, the BitLocker key for the system drive must be entered once'''

== Tested hardware (production key) ==

 * Dell XPS 13 (9350)

= Buster installer images =

Since '''14th Jan 2019''', our normal daily and weekly amd64 debian-installer images should boot and install correctly with Secure Boot enabled so long as the test key is already imported for MOK to use. This includes the d-i buster alpha 5 release.

'''If you test with one of these, please note the exact version (date) that you used.'''

Since the d-i buster alpha RC1 release, we have been using
production keys and all our installer images should work out of
the box with Secure Boot enabled.

See

 * https://get.debian.org/images/daily-builds/daily/current/amd64/iso-cd/ (daily netinst build)
 * https://get.debian.org/images/weekly-builds/ (weekly full builds)
 * https://get.debian.org/images/buster_di_rc1/ (buster d-i RC1)

== Tested hardware (testing key) ==

 * Home-build PC using AsRock mainboard (H97 Pro4 P1.60) boots fine, installs fine using netinst and xfce CD images from 2019-01-14
 * Minnowboard Turbot (boots and installs fine with the netinst image from 2019-01-16)
 * Razer Blade Pro (2017) FHD (RZ09-02202E75) with the image from 2019-03-16

== Tested hardware (production key) ==

 *

= Buster live images =

Since '''16th Jan 2019''', our normal weekly amd64 live images
should live-boot with Secure Boot enabled so long as the test key
is already imported for MOK to use. This includes the d-i buster
alpha 5 release. Weekly live builds since at least '''1st April
2019''' should work without needing the test key.

They should also support installation of a Secure Boot enabled
system directly.

See https://get.debian.org/images/weekly-live-builds/

'''If you test with one of these, please note the exact version (date) that you used.'''

== Tested hardware (testing key) ==

 * Home-build PC using AsRock mainboard (H97 Pro4 P1.60) live-boots and installation works fine with gnome live image from 2019-01-16.
 * Minnowboard Turbot (live-boots and installs fine with gnome live image from 2019-01-17)

== Tested hardware (production key) ==

 *

/!\ This page used to describe testing Secure Boot in Debian when we were still using a temporary test key. We have now enabled signing with our production key, meaning a lot of the previous steps are now un-necessary.

Test procedure on an existing installation

This writeup only works if you have an already-installed and running system.

For testing the secure boot feature on a real hardware, the steps below were followed:

1. First of all, a system running an up-to-date Debian unstable or buster is needed. The following assumes an amd64 system, which is most likely.

2. Install the signed shim, grub and linux signed packages:

   1 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-4-amd64

3. Enable Secure boot

4. Reboot the machine and enjoy the Secure boot feature :)

Do not forget to check if grub is loading the signed linux image 4.19.0-4-amd64. You can also run the following command to check the Secure Boot status :

   1 $ mokutil --sb-state

Tested hardware (testing key)

The initial testing steps were performed in the following hardware until now:

  • ?ThinkPad X230

  • Minnowboard Turbot
  • HP 250 G4 (using method b)
  • ASUS ?ZenBook Pro 15 UX550GE

  • ASUS ?VivoBook Pro NX580GD-E4359R

    • 5 mokutil throws an error message, but it seems it has worked

    • no password asked when enrolling keys
    • after enabling secure boot in bios and rebooting everything seems OK as mokutil --sb-state responds SecureBoot enabled

  • Dell XPS 13 2013 (L322X) failed at 5.

    • [2019-01-08] tested by coucouf
      • mokutil fails with message Failed to enroll new keys and return code 255 after giving a new password twice

      • no visible way to get to a UEFI shell on that machine for method b)
  • ?ThinkPad Yoga12

  • Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) (using method b)

  • ?ThinkPad T480

  • ?ThinkPad A285

    • [2019-01-09] tested by Haruki TSURUMOTO
      • mokutil was failed.

  • HP ?EliteBook 840 G3

    • 5a fails: mokutil fails with Failed to enroll new keys

    • 5b works. No EFI shell available by default, but it was possible to launch mmx64.efi via "Boot from file" in the boot menu.
  • Dell Inspiron 15 - 5547
    • 5a works
  • Schenker S403 (Clevo W840SN based)
    • Tested and works with cat /etc/issue : Debian GNU/Linux buster/sid

    • shim-signed had to be installed; grub-efi-amd64-signed linux-image-4.19.0-1-amd64 were already installed with default Debian Buster preview installer

    • 5b works, 5a possibly fails
    • 5a: mokutil fails with Failed to enroll new keys; moreover, trying mokutil --password fails with Failed to write MokPW

    • 5b:
      1. after copying the certificate test-signing-certs.der to /boot/efi/EFI/debian and rebooting the mokmanager tool launches and certificates waiting to be imported can be selected, i.e. it was not necessary to select a file

      2. However, i.a., it shows the following

        Issuer: CN=secure-boot-test-key-lfaraone
                Validity
                    Not Before: Apr  8 09:46:38 2018 GMT
                    Not After : May  8 09:46:38 2018 GMT
      3. Leaving the menus with escape key seemed to not stop the import
    • Anyway, after rebooting and enabling Secure Boot Custom, Grub boots Debian and mokutil --sb-state shows SecureBoot enabled

    • mokutil --list-enrolled lists two certificates:

      • the first one as above with [key 1]

      • the second one with [key 2] having, i.a.,

        Issuer: CN=Debian Secure Boot CA
                Validity
                    Not Before: Aug 16 18:09:18 2016 GMT
                    Not After : Aug  9 18:09:18 2046 GMT
    • Last, VirtualBox seems to be broken due to missing virtualbox-dkms

  • ASUS UX561UAR
  • Supermicro A1SAi-2750F BIOS 2.1 (method 5b)
    • BIOS Security -> Secure Boot menu

      1. Secure Boot Mode [Custom]
      2. Key Management -> Default Key Provision [Enabled]

      3. Secure Boot Mode [Standard] (optional)
      4. Secure Boot [Enabled]
  • ?ThinkPad X270

    1. In UEFI setup menu, enable Secure Boot and then Reset to Setup Mode.
    2. Install shim-signed and the other packages.

    3. mokutil --import will throw errors at you but it has worked...

    4. Reboot and enrol the key through shim.
    5. Go back to UEFI setup and Restore Factory Keys. This does not wipe the MOKs.
    6. You should now be able to boot normally, with Secure Boot enabled.
  • ?ThinkPad P52S

    1. mokutil --import throws an error but everything actually works fine.

  • Razer Blade Pro (2017) FHD (RZ09-02202E75)
    1. Not currently able to enable external monitor through HDMI, due to modprobe: ERROR: could not insert 'nvidia_current': Required key not available

  • Dell G3 15-3779 Laptop
  • Acer Aspire 7 (A717-71G, current BIOS version 1.21)

    • Tested and works with with the Buster Sid image from March 18th 2019 (cat /etc/issue : Debian GNU/Linux buster/sid)

    • Make sure, that all ?BitLocker keys for Windows are available offline!!!

    • The Windows Recovery console is always accessible from Windows > Settings > Update and Security > Recovery: Advanced startup > Restart now

    • fresh Debian installation using a DVD/USB image from March 18th 2019 works fine using secure boot; booting from Windows Recovery console Use a device > UEFI USB device

    • after installation, disabling secure boot is necessary, otherwise a blue screen will pop up, telling, that access has been refused
      • don't be alarmed to be asked for the ?BitLocker key: just quit and jump into the Recovery console following the links below the dialog, then choose Options

      • access the BIOS from the Windows Recovery console: Troubleshoot > UEFI firmware settings

      • set a BIOS password in the Security tab of the BIOS (necessary for the next step)

      • then change the value for Secure Boot in the Boot tab to disable

      • save and exit (F10)
    • Boot into Debian
      • either it now boots directly into it after disabling secure boot or
      • if it boots Windows instead, boot Debian from the Windows Recovery console choosing Use a device > debian

    • shim-signed grub-efi-amd64-signed linux-image-4.19.0-1-amd64 were already installed in the Debian installation with the Debian Buster preview installer image used

    • 5a fails: mokutil fails with Failed to enroll new keys

    • 5b works:
      1. open the BIOS (see above)
      2. from the Security tab choose Select an UEFI file as trusted for executing, select debian/EFI/mmx64.efi and choose a name for the boot entry

      3. save & exit (F10) and reboot

      4. now boot this file: either
        • reboot into Windows recovery console and choose Use a device and select whatever name you've given this boot entry or

        • boot into the BIOS and change the Boot order or
        • use the Boot menu (never worked for me)
      5. a blue screen with a dialog pops up
      6. follow the dialog to add the DER certificate
      7. reboot
      8. enable secure boot by changing back the value in the Boot tab of the BIOS to enable

      9. fix the boot order if necessary
        • the boot order chosen in the BIOS seems to have the most impact
        • the name of the Grub/Debian boot entry in the BIOS is unreadable tough
    • Booting into the Grub menu works fine now
    • no further issues so far
    • when booting into Windows, the ?BitLocker key for the system drive must be entered once

Tested hardware (production key)

  • Dell XPS 13 (9350)

Buster installer images

Since 14th Jan 2019, our normal daily and weekly amd64 debian-installer images should boot and install correctly with Secure Boot enabled so long as the test key is already imported for MOK to use. This includes the d-i buster alpha 5 release.

If you test with one of these, please note the exact version (date) that you used.

Since the d-i buster alpha RC1 release, we have been using production keys and all our installer images should work out of the box with Secure Boot enabled.

See

Tested hardware (testing key)

  • Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) boots fine, installs fine using netinst and xfce CD images from 2019-01-14

  • Minnowboard Turbot (boots and installs fine with the netinst image from 2019-01-16)
  • Razer Blade Pro (2017) FHD (RZ09-02202E75) with the image from 2019-03-16

Tested hardware (production key)

Buster live images

Since 16th Jan 2019, our normal weekly amd64 live images should live-boot with Secure Boot enabled so long as the test key is already imported for MOK to use. This includes the d-i buster alpha 5 release. Weekly live builds since at least 1st April 2019 should work without needing the test key.

They should also support installation of a Secure Boot enabled system directly.

See https://get.debian.org/images/weekly-live-builds/

If you test with one of these, please note the exact version (date) that you used.

Tested hardware (testing key)

  • Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) live-boots and installation works fine with gnome live image from 2019-01-16.

  • Minnowboard Turbot (live-boots and installs fine with gnome live image from 2019-01-17)

Tested hardware (production key)