Test procedure on an existing installation

For testing the secure boot feature on a real hardware, the steps below were followed:

1. First of all, a system running an up-to-date Debian unstable is needed

2. Install shim, grub and linux signed packages from unstable:

   1 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-1-amd64

3. Download the test certificate:

   1 $ wget https://salsa.debian.org/kernel-team/linux/raw/debian/4.19.9-1/debian/certs/test-signing-certs.pem

4. Convert the cerficate to DER format:

   1 $ openssl x509 -outform der -in test-signing-certs.pem -out test-signing-certs.der

5. Import the test DER certificate as a MOK (Machine Owner Key). There are 2 steps to follow :

   1 $ mokutil --import test-signing-certs.der

Shell> fs0:\EFI\debian\mmx64.efi

Shell> exit

6. Enable Secure boot

7. Reboot the machine and enjoy the Secure boot feature :)

Do not forget to check if grub is loading the signed linux image 4.19.0-1-amd64. You can also run the following command to check the Secure Boot status :

   1 $ mokutil --sb-state

Tested hardware

The steps above were performed in the following hardware until now:

Buster installer images

Since 14th Jan 2019, our normal daily and weekly amd64 debian-installer images should boot and install correctly with Secure Boot enabled without needing any special steps.

See

If you test with one of these, please note the exact version (date) that you used.

Tested hardware

  1. Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) boots fine, installs fine using netinst and xfce CD images from 2019-01-14

  2. Minnowboard Turbot (boots and installs fine with the netinst CD image from 2019-01-16)

Buster live images

Since 16th Jan 2019, our normal weekly amd64 live images should live-boot with Secure Boot enabled without needing any special steps. They should also support installation of a Secure Boot enabled system directly.

See https://get.debian.org/images/weekly-live-builds/

If you test with one of these, please note the exact version (date) that you used.

Tested hardware

  1. Home-build PC using ?AsRock mainboard (H97 Pro4 P1.60) live-boots and installation works fine with gnome live image from 2019-01-16.