Secure Boot

From Kicksecure
Jump to navigation Jump to search

Information on Secure Boot and DKMS Signing Key (MOK Key) Enrollment to ensure kernel modules can be loaded on systems with Secure Boot enabled.

Introduction[edit]

Secure Boot is a feature designed to help protect your computer by allowing only trusted software to run during startup. It ensures that the system boots with software that hasn't been tampered with. However, in practice, Secure Boot has been criticized for acting as an anti-competitive tool by Microsoft, as it can prevent users from easily switching from Windows to alternative operating systems such as Linux. In practice, until a full Verified Boot gets implemented by a Freedom Software Linux desktop distribution, the security advantage is marginal. Technical details can be found on Secure Boot (developers). User freedom restrictions are documented in chapter "restricted boot".

Kicksecure Secure Boot Compatibility[edit]

Kicksecure is compatible with computer hardware provider default (Microsoft) provided keys. Disabling Secure Boot is optional. However, if the user keeps Secure Boot enabled, DKMS key enrollment is recommended, which is documented below.

Rationale for DKMS Signing Key Enrollment[edit]

Without a DKMS Signing Key, the following functionality will be broken:

This is because, when Secure Boot is enabled, custom (non-mainline in Linux) kernel modules are rejected by the Linux kernel.

Symptoms[edit]

You will see a journal message if Secure Boot is disabled and an unsigned kernel module is being loaded. 

tirdad: module verification failed: signature and/or required key missing - tainting kernel

Secure Boot DKMS Signing Key Enrollment[edit]

1. To import the MOK certificate, make sure mokutil is installed.

It is installed by default in Kicksecure.

Install package(s) mokutil following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the systemOnion Logo.

Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade

3 Install the mokutil package(s).

Using apt command line --no-install-recommends optionOnion Logo is in most cases optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends mokutil

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template ModificationOnion Logo.

5 Done.

The procedure of installing package(s) mokutil is complete.

2. Check if Secure Boot is enabled:

Click = Copy Copied to clipboard! sudo mokutil --sb-state

Expected output: 

SecureBoot enabled

If Secure Boot is not enabled, no further steps from this wiki chapter need to be applied.

3. Import the DKMS MOK key.

Click = Copy Copied to clipboard! sudo mokutil --import /var/lib/dkms/mok.pub

4. Password entry.

You'll be prompted to create a password. Enter it twice.

5. Reboot the computer.

Click = Copy Copied to clipboard! sudo reboot

6. MOK Manager EFI interface.

At boot, you'll see the MOK Manager EFI interface:

SHIM UEFI key management

7. Press any key to enter it, then select "Enroll MOK":

Perform MOK management

8. Then select "Continue":

Enroll MOK

9. Confirm with "Yes" when prompted:

Enroll the key(s)?

10. After this, enter the password you set up with mokutil --import in the previous step:

Enroll the key(s)?

11. At this point, you are done. Select "OK," and the computer will reboot, trusting the key for your modules:

Perform MOK management

12. After reboot, you can inspect the MOK certificates with the following command:

Click = Copy Copied to clipboard! sudo mokutil --list-enrolled

Expected output: 

        Subject: CN=DKMS module signing key

13. To check the signature on a built DKMS module that is installed on a system:

Click = Copy Copied to clipboard! sudo modinfo dkms_test 

signer:         DKMS module signing key

14. Done.

The module can now be loaded without issues.

Credits: Based on https://github.com/dell/dkms?tab=readme-ov-file#secure-bootarchive.org iconarchive.today icon

Disable Secure Boot[edit]

Disable Secure Boot using update-secureboot-policy[edit]

Secure Boot can be disabled using update-secureboot-policy.

This tool is available only for Debian-based distributions, such as Kicksecure and Whonix. For other Linux distributions, see the alternative below.

1. Choose one of these methods:

  • A) Terminal-based graphical user interface: Click = Copy Copied to clipboard! sudo update-secureboot-policy
  • B) Command-line interface: Click = Copy Copied to clipboard! sudo update-secureboot-policy --disable

2. Reboot your system.

3. Done.

Disable Secure Boot in BIOS/UEFI[edit]

Alternatively, Secure Boot can be disabled using the firmware setup (BIOS/UEFI).

1. Restart your computer and enter the BIOS/UEFI settings.

2. Locate the Secure Boot option and disable it.

3. Save changes and exit.

4. Done.

Errors[edit]

EFI variables are not supported on this system[edit]

If you see the following error message: 

EFI variables are not supported on this system

In this case, EFI is not enabled, which by extension means that Secure Boot is not enabled either. Therefore, it is unnecessary for the DKMS MOK key to be imported. No further user action is required.

Development[edit]

Other Projects on Secure Boot[edit]

See Also[edit]

Footnotes[edit]

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Secure_Boot&oldid=87533"