Differences between revisions 41 and 42
Revision 41 as of 2019-03-10 16:59:30
Size: 8840
Editor: KashifShah
Comment: Bug 922179 was fixed, shim-signed installs now.
Revision 42 as of 2019-03-11 23:24:14
Size: 8890
Editor: KashifShah
Comment: Added new test hardware
Deletions are marked like this. Additions are marked like this.
Line 163: Line 163:
    * Razer Blade Pro (2017) FHD (RZ09-02202E75)

Test procedure on an existing installation

This writeup only works if you have an already-installed and running system.

For testing the secure boot feature on a real hardware, the steps below were followed:

1. First of all, a system running an up-to-date Debian unstable is needed

As of 20190207, the firmware-buster-DI-alpha5-amd64-netinst ISO will not boot if UEFI secureboot is enabled*

* Tested on Dell ?PowerEdge R630

2. Install shim, grub and linux signed packages from unstable:

   1 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-3-amd64

3. Download the test certificate:

   1 $ wget https://salsa.debian.org/kernel-team/linux/raw/debian/4.19.9-1/debian/certs/test-signing-certs.pem

4. Convert the cerficate to DER format:

   1 $ openssl x509 -outform der -in test-signing-certs.pem -out test-signing-certs.der

5. Import the test DER certificate as a MOK (Machine Owner Key). There are 2 steps to follow :

  • 1) Install mokutil and import the certificate using it:

   1 $ mokutil --import test-signing-certs.der
  • The last command requires to set an ephemeral password to confirm that the user at the console is indeed the person who requested the key import. This password only survives across a single run of mokmanager (mmx64.efi) and is cleared as soon as the process is completed or cancelled.
  • 2) Place the certificate in /boot/efi/EFI/debian and reboot. shim should now automatically launch the mokmanager tool.

    If it doesn't, you can manually launch it through an EFI shell. You can download an EFI shell from the Tianocore project. You may want to resort to a user-friendly boot manager like refind to get a menu at boot time. From the EFI shell you can launch mokmanager by running the following command:

Shell> fs0:\EFI\debian\mmx64.efi
  • Then, perfom the actions below:
    • Select the option Enroll key from disk.

    • Select the disk option that represents your EFI partition.
    • Go to EFI/debian directory.

    • Select test-signing-certs.der.

    • Select Continue and confirm the action (Yes). You'll be prompted for the password you typed in earlier when running mokutil.

  • Now, our test certificate is enrolled and you can select Continue boot. To exit from EFI shell run:

Shell> exit

6. Enable Secure boot

7. Reboot the machine and enjoy the Secure boot feature :)

Do not forget to check if grub is loading the signed linux image 4.19.0-1-amd64. You can also run the following command to check the Secure Boot status :

   1 $ mokutil --sb-state

Tested hardware

The steps above were performed in the following hardware until now:

  • ?ThinkPad X230

  • Minnowboard Turbot
  • HP 250 G4 (using method b)
  • ASUS ?ZenBook Pro 15 UX550GE

  • ASUS ?VivoBook Pro NX580GD-E4359R

    • 5 mokutil throws an error message, but it seems it has worked

    • no password asked when enrolling keys
    • after enabling secure boot in bios and rebooting everything seems OK as mokutil --sb-state responds SecureBoot enabled

  • Dell XPS 13 2013 (L322X) failed at 5.

    • [2019-01-08] tested by coucouf
      • mokutil fails with message Failed to enroll new keys and return code 255 after giving a new password twice

      • no visible way to get to a UEFI shell on that machine for method b)
  • ?ThinkPad Yoga12

  • Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) (using method b)

  • ?ThinkPad T480

  • ?ThinkPad A285

    • [2019-01-09] tested by Haruki TSURUMOTO
      • mokutil was failed.

  • HP ?EliteBook 840 G3

    • 5a fails: mokutil fails with Failed to enroll new keys

    • 5b works. No EFI shell available by default, but it was possible to launch mmx64.efi via "Boot from file" in the boot menu.
  • Dell Inspiron 15 - 5547
    • 5a works
  • Schenker S403 (Clevo W840SN based)
    • Tested and works with cat /etc/issue : Debian GNU/Linux buster/sid

    • shim-signed had to be installed; grub-efi-amd64-signed linux-image-4.19.0-1-amd64 were already installed with default Debian Buster preview installer

    • 5b works, 5a possibly fails
    • 5a: mokutil fails with Failed to enroll new keys; moreover, trying mokutil --password fails with Failed to write MokPW

    • 5b:
      1. after copying the certificate test-signing-certs.der to /boot/efi/EFI/debian and rebooting the mokmanager tool launches and certificates waiting to be imported can be selected, i.e. it was not necessary to select a file

      2. However, i.a., it shows the following

        Issuer: CN=secure-boot-test-key-lfaraone
                Validity
                    Not Before: Apr  8 09:46:38 2018 GMT
                    Not After : May  8 09:46:38 2018 GMT
      3. Leaving the menus with escape key seemed to not stop the import
    • Anyway, after rebooting and enabling Secure Boot Custom, Grub boots Debian and mokutil --sb-state shows SecureBoot enabled

    • mokutil --list-enrolled lists two certificates:

      • the first one as above with [key 1]

      • the second one with [key 2] having, i.a.,

        Issuer: CN=Debian Secure Boot CA
                Validity
                    Not Before: Aug 16 18:09:18 2016 GMT
                    Not After : Aug  9 18:09:18 2046 GMT
    • Last, VirtualBox seems to be broken due to missing virtualbox-dkms

  • ASUS UX561UAR
  • Supermicro A1SAi-2750F BIOS 2.1 (method 5b)
    • BIOS Security -> Secure Boot menu

      1. Secure Boot Mode [Custom]
      2. Key Management -> Default Key Provision [Enabled]

      3. Secure Boot Mode [Standard] (optional)
      4. Secure Boot [Enabled]
  • ?ThinkPad X270

    1. In UEFI setup menu, enable Secure Boot and then Reset to Setup Mode.
    2. Install shim-signed and the other packages.

    3. mokutil --import will throw errors at you but it has worked...

    4. Reboot and enrol the key through shim.
    5. Go back to UEFI setup and Restore Factory Keys. This does not wipe the MOKs.
    6. You should now be able to boot normally, with Secure Boot enabled.
  • ?ThinkPad P52S

    1. mokutil --import throws an error but everything actually works fine.

  • Razer Blade Pro (2017) FHD (RZ09-02202E75)

Buster installer images

Since 14th Jan 2019, our normal daily and weekly amd64 debian-installer images should boot and install correctly with Secure Boot enabled so long as the test key is already imported for MOK to use. This includes the d-i buster alpha 5 release.

See

If you test with one of these, please note the exact version (date) that you used.

Tested hardware

  1. Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) boots fine, installs fine using netinst and xfce CD images from 2019-01-14

  2. Minnowboard Turbot (boots and installs fine with the netinst image from 2019-01-16)

Buster live images

Since 16th Jan 2019, our normal weekly amd64 live images should live-boot with Secure Boot enabled so long as the test key is already imported for MOK to use. This includes the d-i buster alpha 5 release..They should also support installation of a Secure Boot enabled system directly.

See https://get.debian.org/images/weekly-live-builds/

If you test with one of these, please note the exact version (date) that you used.

Tested hardware

  1. Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) live-boots and installation works fine with gnome live image from 2019-01-16.

  2. Minnowboard Turbot (live-boots and installs fine with gnome live image from 2019-01-17)