Secure Boot
Donate
Information on Secure Boot and DKMS Signing Key (MOK Key) Enrollment to ensure kernel modules can be loaded on systems with Secure Boot enabled.
Introduction[edit]
Secure Boot is a feature designed to help protect your computer by allowing only trusted software to run during startup. It ensures that the system boots with software that hasn't been tampered with. However, in practice, Secure Boot has been criticized for acting as an anti-competitive tool by Microsoft, as it can prevent users from easily switching from Windows to alternative operating systems such as Linux. In practice, until a full Verified Boot gets implemented by a Freedom Software Linux desktop distribution, the security advantage is marginal. Technical details can be found on Secure Boot (developers). User freedom restrictions are documented in chapter "restricted boot".
Kicksecure Secure Boot Compatibility[edit]
Kicksecure is compatible with computer hardware provider default (Microsoft) provided keys. Disabling Secure Boot is optional. However, if the user keeps Secure Boot enabled, DKMS key enrollment is recommended, which is documented below.
Rationale for DKMS Signing Key Enrollment[edit]
Without a DKMS Signing Key, the following functionality will be broken:
- CPU Information Leak Protection (TCP ISN)
is implemented through the custom kernel module tirdad. - VirtualBox host operating system software.
- Any other kernel modules not shipped by Debian.
This is because, when Secure Boot is enabled, custom (non-mainline in Linux) kernel modules are rejected by the Linux kernel.
Symptoms[edit]
You will see a journal message if Secure Boot is disabled and an unsigned kernel module is being loaded.
tirdad: module verification failed: signature and/or required key missing - tainting kernel
Secure Boot DKMS Signing Key Enrollment[edit]
1. To import the MOK certificate, make sure mokutil is installed.
It is installed by default in Kicksecure.
Install package(s) mokutil following these instructions
1 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
2
Update the package lists and upgrade the system
.
sudo apt update && sudo apt full-upgrade
3 Install the mokutil package(s).
Using apt command line
--no-install-recommends option
is in most cases optional.
sudo apt install --no-install-recommends mokutil
4 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per
Qubes Template Modification
.
5 Done.
The procedure of installing package(s) mokutil is complete.
2. Check if Secure Boot is enabled:
sudo mokutil --sb-state
Expected output:
SecureBoot enabled
If Secure Boot is not enabled, no further steps from this wiki chapter need to be applied.
3. Import the DKMS MOK key.
sudo mokutil --import /var/lib/dkms/mok.pub
4. Password entry.
You'll be prompted to create a password. Enter it twice.
5. Reboot the computer.
sudo reboot
6. MOK Manager EFI interface.
At boot, you'll see the MOK Manager EFI interface:
7. Press any key to enter it, then select "Enroll MOK":
8. Then select "Continue":
9. Confirm with "Yes" when prompted:
10. After this, enter the password you set up with mokutil --import in the previous step:
11. At this point, you are done. Select "OK," and the computer will reboot, trusting the key for your modules:
12. After reboot, you can inspect the MOK certificates with the following command:
sudo mokutil --list-enrolled
Expected output:
Subject: CN=DKMS module signing key
13. To check the signature on a built DKMS module that is installed on a system:
sudo modinfo dkms_test
signer: DKMS module signing key
14. Done.
The module can now be loaded without issues.
Credits: Based on https://github.com/dell/dkms?tab=readme-ov-file#secure-boot
Disable Secure Boot[edit]
Disable Secure Boot using update-secureboot-policy[edit]
Secure Boot can be disabled using update-secureboot-policy.
This tool is available only for Debian-based distributions, such as Kicksecure and Whonix. For other Linux distributions, see the alternative below.
1. Choose one of these methods:
- A) Terminal-based graphical user interface: sudo update-secureboot-policy
- B) Command-line interface: sudo update-secureboot-policy --disable
2. Reboot your system.
3. Done.
Disable Secure Boot in BIOS/UEFI[edit]
Alternatively, Secure Boot can be disabled using the firmware setup (BIOS/UEFI).
1. Restart your computer and enter the BIOS/UEFI settings.
2. Locate the Secure Boot option and disable it.
3. Save changes and exit.
4. Done.
Errors[edit]
EFI variables are not supported on this system[edit]
If you see the following error message:
EFI variables are not supported on this system
In this case, EFI is not enabled, which by extension means that Secure Boot is not enabled either. Therefore, it is unnecessary for the DKMS MOK key to be imported. No further user action is required.
Development[edit]
Other Projects on Secure Boot[edit]
See Also[edit]
Footnotes[edit]
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!