So, I am basically a Linux user and just hop onto Windows whenever I want to play games or anything stupid. Most of my games now actually run when secure boot is enabled but as I am using Kali already as my main and working OS. So, is it possible that I can enable secure boot and when I am done using Windows I restart disable the secure boot and run grub boot loader which is by default right now? Or will it cause errors? I don't know how to properly signed os right now.

**The goal is to sign the mender yocto image and run it on secure boot enabled raspberry pi**. I have raspberrypi-4 and the yocto image from mender (open source OTA platform). To give a quick try here is the link: **Image and Modified Files ** of generated image flash to sd card using **rasbperry pi imager **, sign with private key and **step-2** flash secure-boot-recovery pieeprom via rpiboot and boot. Referred to **Secure Boot Example Readme ** enabled secure boot on rasberrypi-4. **Step-1 Generate private key for generating signed images** Source python virtual environment, install the pycryptodmex and generate private key, then export variable KEY_FILE. source path/to/python/virtual_env/activate pip install pycryptodomex openssl genrsa 2048 > private.pem export KEY_FILE=$(pwd)/private.pem **Step-2 Secure-boot-recovery for flashing signed pieeprom to raspberrypi-4** Once the private key is generated, cloned the secure boot git reposistory and complied to get rpiboot binary. git clone https://github.com/raspberrypi/usbboot secure-boot cd secure-boot git submodule update --init make To enabled rpiboot mode, updated the program_rpiboot_gpio=5 in secure-boot/secure-boot-recovery/config.txt and connected it GND pin, then connected the raspberrypi-4 to host with usb type-C Then in secure boot directory sign the pieeprom image with generate private key in step-1 and flash it to eeprom. cd secure-boot-recovery ../tools/update-pieeprom.sh -k "${KEY_FILE}" cd .. ./rpiboot -d secure-boot-recovery Now secure boot is enabled on raspberrypi-4 it will only run signed images and refereeing to document **Raspberry Pi 4 Boot Security ** raspberrypi4 expects singed boot.img. **Step-3 Process to create a signed mender yocto image** In this process the mender yocto image is modified, the mender yocto image create a sdcard flashable imagename.sdimg which contain boot partition, Root A/B partition and data parition, so to flash boot files to boot partition it creates imagename.bootimg and then it is packaged to imagename.sdimg, to make it work with rasberrypi-4 secure boot enabled i modified files two yocto recipe file **mender-bootimg.bbclass** and **mender-part-images.bbclass** from **classes ** here are the modified files **Image and Modified Files ** that made **imagename.bootimg** to **boot.img** also added the image signing code by refereeing **sign.sh** script secure-boot/secure-boot-example and **rpi-eeprom-digest.sh** script secure-boot/tools/rpi-eeprom. Dependencies: python virtual env and kas need to be installed source /path/to/python/venv/activate pip install kas mkdir mender-raspberrypi4 && cd mender-raspberrypi4 git clone https://github.com/theyoctojester/meta-mender-community -b scarthgap cd meta-mender-community mkdir my-raspberrypi4 && cd my-raspberrypi4 After modification of files to build image **Build Command** kas build ../kas/demos/raspberrypi4-64-wifi.yml After build is complete flash imagename.sdimg to sdcard using raspberry pi Imager, below are the boot logs captured serially where got the error complaining boot.img not found on sdcard, please let me know if anything I'm missing in it. **Errors Logs:** 2.62 RPi: BOOTLOADER release VERSION:69471177 DATE: 2025/05/08 TIME: 16:21:35 2.62 BOOTMODE: 0x06 partition 0 build-ts BUILD_TIMESTAMP=1746717695 serial 7c2 2.36 Unsupported boot order 6 2.61 Boot mode: SD (01) order f254 2.82 SD HOST: 200000000 CTL0: 0x00800000 BUS: 400000 Hz actual: 390625 HZ div6 2.83 SD HOST: 200000000 CTL0: 0x00800f00 BUS: 400000 Hz actual: 390625 HZ div6 2.98 OCR c0ff8000 CID: 000353444a554c494580d5b740550127 CSD: 400e00325b59000076b27f800a404000 2.98 SD: bus-width: 4 spec: 2 SCR: 0x02358043 0x00000000 2.99 SD HOST: 200000000 CTL0: 0x00800f04 BUS: 50000000 Hz actual: 50000000 HZ2 3.00 MBR: 0x0000c000, 206848 type: 0x0c 3.01 MBR: 0x00040000, 770048 type: 0x83 3.01 MBR: 0x000fc000, 770048 type: 0x83 3.01 MBR: 0x001b8000, 262144 type: 0x83 3.21 Trying partition: 0 3.49 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4) 3.05 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512 3.06 FAT16 clusters 51603 3.06 [sdcard] autoboot.txt not found 3.06 Select partition rsts 0 C(boot_partition) 0 EEPROM config 0 result 1 3.71 Trying partition: 1 3.76 type: 16 lba: 49152 'mkfs.fat' ' V ^ ' clusters 51603 (4) 3.08 rsc 4 fat-sectors 200 root dir cluster 1 sectors 32 entries 512 3.08 FAT16 clusters 51603 3.89 secure-boot 3.91 Loading boot.img ... 3.09 boot.sig 3.09 hash: b70a74e651e9bde92dd921ac6b26c9704077bcec431518c384aafd0c39f98fc7 3.10 ts: 1750829740 3.10 rsa2048: 7937a7eeacf12d1433011cc1fcbd57901e0d0796fafce03d811a44e54f255f8c 3.15 [sdcard] boot.img not found 3.53 Error 6 loading boot.img 3.55 Boot mode: USB-MSD (04) order f25 3.17 PCI0 init 3.17 PCI0 reset 3.34 PCIe scan 00001106:00003483 3.46 XHCI-STOP 3.46 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb 3.47 USBSTS 11 3.47 xHC0 ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb 3.48 xHC0 ports 5 slots 32 intrs 4 3.18 USB2[3] 400202e1 connected 3.33 USB2 root HUB port 1 init 3.53 DEV [01:00] 2.16 000000:01 class 9 VID 2109 PID 3431 3.53 HUB init [01:00] 2.16 000000:01

I have laptop DELL latitude 5491 with preinstalled Windows 10 with secure boot enabled and EFI mode. After I purchased, I installed Ubuntu 20.04 next to Windows as a dualboot with still secure boot enabled/EFI. Partitions 2,3 and 5 are for Windows system, Partition 1 and 4 are for Ubuntu. On Partition 6 is stored ISO of Clonezilla live CD for backuping. So far everything is working well. In the next step I stored unpacked ISO of Parted Magic live CD on Partition 7, edited the grub menu, but booting the Parted Magic from grub menu ends in error with invalid signature for BzImage... However, when I boot the Parted Magic directly from EFI (temporary boot menu or EFI setup), system normally started. Where there may be a problem? Its look like Partitions layout: Device Start End Sectors Size Type /dev/sda1 2048 1394687 1392640 680M EFI System /dev/sda2 1394688 1656831 262144 128M Microsoft reserved /dev/sda3 1656832 507570175 505913344 241,2G Microsoft basic data /dev/sda4 507570176 983883775 476313600 227,1G Linux filesystem /dev/sda5 983883776 985911295 2027520 990M Windows recovery environment /dev/sda6 985911296 987500543 1589248 776M Linux filesystem /dev/sda7 987500544 1000214527 12713984 6,1G Microsoft basic data Edited 40_custom file: #!/bin/sh exec tail -n +3 $0 # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. menuentry "clonezilla" { set isofile="/clonezilla-live-20210127-groovy-amd64.iso" loopback loop (hd0,gpt6)$isofile linuxefi (loop)/live/vmlinuz boot=live components config findiso=$isofile ip=frommedia toram=filesystem.squashfs union=overlay username=user initrdefi (loop)/live/initrd.img } menuentry "partedmagic" { insmod chain set root=(hd0,gpt7) configfile /boot/grub/grub.cfg } grub.cfg file: set default="0" set timeout="20" set hidden_timeout_quiet=false set gfxmode=auto insmod efi_gop insmod efi_uga insmod gfxterm terminal_output gfxterm set color_normal=white/black set color_highlight=black/white loadfont /boot/grub/unicode.pf2 background_image /boot/grub/pmagic.png set default_settings="edd=on vga=normal mem=32G" set live_settings="boot=live eject=no" set linux="/pmagic/bzImage" set initrd_img="/pmagic/initrd.img /pmagic/fu.img /pmagic/m.img" set default=2 set message="Loading kernel and initramfs. Please wait..." menuentry "Parted Magic UEFI Boot Menu"{ set } menuentry ' '{ set } menuentry "1. Default settings (Runs from RAM 4GB+)"{ echo $message search --set -f $linux linux $linux $default_settings initrd $initrd_img } menuentry "1a. Default settings with 4K Monitor"{ echo $message search --set -f $linux linux $linux $default_settings m4k=yes initrd $initrd_img } menuentry "1b. Default settings + language menu"{ echo $message search --set -f $linux linux $linux $default_settings lang=yes initrd $initrd_img } menuentry ' '{ true } menuentry "2. Live with default settings (2GB+ RAM)"{ echo $message search --set -f $linux linux $linux $default_settings $live_settings initrd $initrd_img } menuentry "2a. Live with default settings + language menu"{ echo $message search --set -f $linux linux $linux $default_settings $live_settings lang=yes initrd $initrd_img } menuentry ' '{ true } menuentry "3. Black/Blank Screen workaround"{ echo $message search --set -f $linux linux $linux $default_settings nomodeset initrd $initrd_img } menuentry "4. No official NVIDIA driver - Use Nouveau NVIDIA driver instead."{ echo $message search --set -f $linux linux $linux $default_settings modprobe="nouveau" initrd $initrd_img } menuentry "5. *** Hyper-V ***"{ echo $message search --set -f $linux linux $linux $default_settings fbdev=yes initrd $initrd_img } menuentry "6. Memtest86+" { chainloader /boot/memtest/BOOTX64.EFI } menuentry "7. EFI Shell" { insmod fat insmod chain terminal_output console chainloader /boot/edk2/Shell.efi } menuentry ' '{ true } submenu "Extras Menu"{ set default_settings="edd=on vga=normal mem=32G" set live_settings="boot=live eject=no" set linux="/pmagic/bzImage" set initrd_img="/pmagic/initrd.img /pmagic/fu.img /pmagic/m.img" set message="Loading kernel and initramfs. Please wait..." menuentry "1. Super Grub2 Disk EFI" { chainloader /boot/supergrub2disk/super_grub2_disk_standalone_x86_64_efi_2.04s1.EFI } menuentry "2. Clonezilla"{ echo $message search --set -f $linux linux $linux $default_settings clonezilla=yes initrd $initrd_img } menuentry "3. Nwipe"{ echo $message search --set -f $linux linux $linux $default_settings nwipe=yes initrd $initrd_img } menuentry "4. Load iSCSI Kernel Modules"{ echo $message search --set -f $linux linux $linux $default_settings iscsi=yes initrd $initrd_img } menuentry "5. Load config for xf86-video-qxl module"{ echo $message search --set -f $linux linux $linux $default_settings qxl=yes initrd $initrd_img } } } submenu "Failsafe Menu"{ set default_settings="edd=on vga=normal mem=32G" set live_settings="boot=live eject=no" set linux="/pmagic/bzImage" set initrd_img="/pmagic/initrd.img /pmagic/fu.img /pmagic/m.img" set message="Loading kernel and initramfs. Please wait..." menuentry "1. No ACPI (Advanced Configuration and Power Interface)"{ echo $message search --set -f $linux linux $linux $default_settings acpi=off initrd $initrd_img } menuentry "2. Do not eject CD"{ echo $message search --set -f $linux linux $linux $default_settings eject=no initrd $initrd_img } menuentry "3. Emulator compatibility"{ echo $message search --set -f $linux linux $linux $default_settings $live_settings noreplace-paravirt initrd $initrd_img } menuentry "4. Console (boots to the shell)"{ echo $message search --set -f $linux linux $linux $default_settings consoleboot=yes initrd $initrd_img } menuentry "5. Initrd.img (boot to initrd.img shell)"{ echo $message search --set -f $linux linux $linux $default_settings initrd_shell=yes initrd $initrd_img } menuentry "6. Radeon no modeset"{ echo $message search --set -f $linux linux $linux $default_settings blacklist=radeon initrd $initrd_img } menuentry "7. No / force CPU Frequency Scaling"{ echo $message search --set -f $linux linux $linux $default_settings cpufreq=no initrd $initrd_img } menuentry "8. Force vesa workaround"{ echo $message search --set -f $linux linux $linux $default_settings xconfig=forcevesa initrd $initrd_img } menuentry "9. Force refresh rate"{ echo $message search --set -f $linux linux $linux $default_settings xconfig=forcerefresh nomodeset initrd $initrd_img } menuentry "10. Disable accelerated 3D graphics (DRI)"{ echo $message search --set -f $linux linux $linux $default_settings nodri=yes initrd $initrd_img } menuentry "11. Missing Mouse Pointer"{ echo $message search --set -f $linux linux $linux $default_settings xmouse=yes initrd $initrd_img } menuentry "12. Macbook Pro 8,x Dual Graphics Workaround"{ echo $message search --set -f $linux linux $linux $default_settings outb 0x728 1 # Switch select outb 0x710 2 # Switch display outb 0x740 2 # Switch DDC outb 0x750 0 # Power down discrete graphics initrd $initrd_img } menuentry "13. Libata noncq - Drive will not unlock"{ echo $message search --set -f $linux linux $linux $default_settings libata.force=1.0:noncq initrd $initrd_img } menuentry "14. No IPV6 - Stop Network Manager from disconnecting."{ echo $message search --set -f $linux linux $linux $default_settings blacklist=ipv6 initrd $initrd_img } } menuentry ' '{ true } submenu "List of Cheat Codes"{ menuentry "directory= Directory containing the pmagic folder"{set} menuentry "iso_filename= [path to/]iso filename"{set} menuentry "root= SQFS boot device by partition id"{set} menuentry "label= SQFS boot device by label"{set} menuentry "uuid= SQFS boot device by [partial] uuid"{set} menuentry "blacklist= Do not load kernel modules, e.g. blacklist=kmod1:kmod2:kmod3"{set} menuentry "ahci=no Do not load the ahci kernel module"{set} menuentry "modprobe= Load kernel modules, e.g. modprobe=kmod4:kmod5:kmod6"{set} menuentry "consoleboot=yes Do not start X-windows"{set} menuentry "eject=no Do not eject CD"{set} menuentry "gpm=no Disable the console mouse server"{set} menuentry "pmodules=no Do not install pmagic/pmodules"{set} menuentry "slapt=no Do not install /home/partedmagic/slapt-get/ packages"{set} menuentry "scripts=no Do not execute pmagic/pmodules/scripts"{set} menuentry "sound=no Do not let ALSA set volume levels (mute)"{set} menuentry "numlock=on Set numlock to on at boot"{set} menuentry "conky=no Do not auto-start conky"{set} menuentry "zfs=no Do not start zfs services"{set} menuentry "hostname= Set hostname to XXXXXX[.YYYYYY.ZZZ]"{set} menuentry "timeconfig=|no Set timezone | do not start timeconfig at boot"{set} menuentry "clockfmt= clockfmt=%R (24-hours), clockfmt=%l:%M%P (am/pm)"{set} menuentry "mdadm=no Do not assemble raid filesystems"{set} menuentry "lvm=no Do not start the device mapper"{set} menuentry "sshd=no Do not start SSH daemon"{set} menuentry "bluetooth=no Do not start the bluetooth daemon"{set} menuentry "consolekit=no Do not start the consolekit daemon"{set} menuentry "dmeventd=no Do not start the device mapper event daemon"{set} menuentry "dbus=no Do not start the Dbus daemon"{set} menuentry "smart=no Do not start the smartmontools daemon"{set} menuentry "fstabdaemon=no Do not start the Parted Magic /etc/fstab daemon"{set} menuentry "nfs=no Do not start the NFS daemon"{set} menuentry "acpid=no Do not start the acpi daemon"{set} menuentry "cups=no Do not start the CUPS server"{set} menuentry "netw=no Do not start the network at boot"{set} menuentry "samba=yes Start the samba daemons"{set} menuentry "rdate=yes Sync time with rdate at boot"{set} menuentry "monday=1 Monday as first day of the week"{set} menuentry "ntpd=yes Start the ntpd daemon"{set} menuentry "cpufreq=no/yes/ No (laptop), force (desktop) CPU freq scaling governor"{set} menuentry "powermanager=no/yes No (laptop), force (desktop) power manager"{set} menuentry "iscsi=yes Start iscsi initiator"{set} menuentry "xconfig=XXXXXX|no Use /etc/X11/xorg.conf.XXXXXX | Undo"{set} menuentry "nodri=yes No DRI"{set} menuentry "qxl=yes X to start with QXL device"{set} menuentry "xmouse=yes Try this if your X does not show a mouse cursor"{set} menuentry "clonezilla=yes Boot into clonezilla"{set} menuentry "nwipe=yes Boot into nwipe"{set} menuentry "cmd= Boot into , e.g. cmd="nwipe --method dod""{set} menuentry "device_list=yes Show devices/partitions being scanned for the SQFS"{set} menuentry "removableonly=yes Only scan devices/partitions with "removable" attribute"{set} menuentry "testing=yes Wait at boot completion, use to scroll"{set} menuentry " Press to continue"{set} menuentry ""{set} menuentry "Keyboard maps:"{set} menuentry "azerty be-latin1 fr-latin1 fr-latin9 fr-pc fr wangbe wangbe2 ANSI-dvorak"{set} menuentry "dvorak-l dvorak-r dvorak tr_f-latin5 trf bg-cp1251 bg-cp855 bg_bds-cp1251"{set} menuentry "bg_bds-utf8 bg_pho-cp1251 bg_pho-utf8 br-abnt br-abnt2 br-latin1-abnt2"{set} menuentry "br-latin1-us by cf cz-cp1250 cz-lat2-prog cz-lat2 cz defkeymap"{set} menuentry "defkeymap_V1.0 dk-latin1 dk emacs emacs2 es-cp850 es et-nodeadkeys et"{set} menuentry "fi-latin1 fi-latin9 fi gr-pc gr hu101 hypermap.m4 il-heb il-phonetic il"{set} menuentry "is-latin1-us is-latin1 it-ibm it it2 jp106 la-latin1 lt.baltic lt.l4 lt"{set} menuentry "mk-cp1251 mk-utf mk mk0 nl nl2 no-latin1.doc no-latin1 no pc110 pl pl2"{set} menuentry "pt-latin1 pt-latin9 ro_win ru-cp1251 ru-ms ru-yawerty ru ru1 ru2 ru3 ru4"{set} menuentry "ru_win se-fi-ir209 se-fi-lat6 se-ir209 se-lat6 sk-prog-qwerty sk-qwerty"{set} menuentry "speakup-jfw speakup-jfw.readme speakupmap sr-cy sv-latin1 tr_q-latin5 tralt"{set} menuentry "trq ua-utf-ws ua-utf ua-ws ua uk us-acentos us croat cz-us-qwertz"{set} menuentry "de-latin1-nodeadkeys de-latin1 de de_CH-latin1 fr_CH-latin1 fr_CH hu"{set} menuentry "sg-latin1-lk450 sg-latin1 sg sk-prog-qwertz sk-qwertz slovene"{set} menuentry "Example:"{set} menuentry "At the boot menu press and then change 'keymap=us' to 'keymap=fr-latin1'"{set} menuentry ""{set} menuentry "VGA modes:"{set} menuentry "Normal VGA console: vga=normal"{set} menuentry "VESA framebuffer console @ 1024x768x64k: vga=791"{set} menuentry "VESA framebuffer console @ 1024x768x32k: vga=790"{set} menuentry "VESA framebuffer console @ 1024x768x256: vga=773"{set} menuentry "VESA framebuffer console @ 800x600x64k: vga=788"{set} menuentry "VESA framebuffer console @ 800x600x32k: vga=787"{set} menuentry "VESA framebuffer console @ 800x600x256: vga=771"{set} menuentry "VESA framebuffer console @ 640x480x64k: vga=785"{set} menuentry "VESA framebuffer console @ 640x480x32k: vga=784"{set} menuentry "VESA framebuffer console @ 640x480x256: vga=769"{set} } However path for "bootloader" of Partition 7 in EFI setup is: \EFI\boot\bootx64.efi When I used this path for editing 40_custom file instead of use grub.cfg file, it ends with error. Thank you for your answers. P. **EDIT:** **Option 1:** I used follow edit of custom_40 file menuentry "partedmagic" { insmod chain set root=(hd0,gpt7) configfile /boot/EFI/bootx64.efi } When I tried to edit this file follow as: menuentry "partedmagic" { insmod chain set root=(hd0,gpt7) chainloader /boot/EFI/bootx64.efi } I received a error message: *Bootloader has not verified loaded image... System is compromised. halting.* **Option 2:** Process of resign Parted Magic's bzImage was completed success, but when i try boot this, its still with error. *...has invalid signature, you need to load kernel first.*

I made a custom live system using the Debian FAI service . I can't boot it with secure boot as my laptop is not recognizing the signature somehow. But I can still boot my currently installed Debian system normally (and I have no MOK enrolled) Here is the FAI configuration as seen on the website:

cl=DEBIAN,DHCPC,DEMO,FAIBASE,BOOKWORM,BACKPORTS,SSH_SERVER,STANDARD,NONFREE,RECOMMENDS,KDE,FAIME,AMD64,LIVEISO
NIC1=eth0 fai dirinstall -v -u debian -c$cl /srv/live
fai-cd -s500 -MH -d none -g grub.cfg.live -n /srv/live live-.iso

I expected FAI to use the same signed Grub used by Debian. Apparently not?

Having recently installed a driver which required for the module to be signed manually it was confusing what signing that module was actually doing and why it had to be done. There are other questions about the process on here however they are more technical. What is a simple explanation of what signing modules does and why it is necessary as well as what the alternatives are (apparently dkms can automatically sign modules)?

I want to sign my nvidia driver so I can use it with Secure Boot. I'm trying to follow these instructions for nvidia driver: https://wiki.debian.org/SecureBoot#Using_your_key_to_sign_modules_.28Traditional_Way.29 I already have MOK keys. I've installed nvidia drivers with apt-get install nvidia-driver. Now I'm signing it. I can't find location of my nvidia module. ChatGPT has suggested something like that:

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /path/to/MOK.priv /path/to/MOK.der $(modinfo -n nvidia)

But I'm getting error (even with modinfo -n nvidia)

sudo /sbin/modinfo nvidia
modinfo: ERROR: Module nvidia not found

I've also tried it, but got no output:

sudo find /lib/modules/$(uname -r) -type f -name "nvidia.ko"

What should I do to find my nvidia driver? It should be there if I have installed a package, right?

Two common ways to do Secure Boot are: 1. EFI -> shim -> grub -> kernel 2. EFI -> UKI I want to keep grub, but discard all third party keys and use my own. One option would be to recompile shim with only my keys, but it seems more straightforward to do a simpler boot chain of EFI -> grub -> UKI. So far I have:

# Install GRUB with the modules embedded
grub-install --target=x86_64-efi --efi-directory=/boot/efi --boot-directory=/boot/efi/boot \ 
 --modules="normal probe part_gpt part_msdos ext2 search fat lvm luks tpm mdraid1x mdraid09 raid5rec raid6rec all_video gzio datetime chain loadenv configfile test linux ls echo cat help" \ 
 --no-floppy --uefi-secure-boot --force-extra-removable --disable-shim-lock

# Sign with self-generated and enrolled key
cp /boot/efi/boot/grub/x86_64-efi/grub.efi /boot/efi/EFI/BOOT/
cp grub.cfg /boot/efi/EFI/BOOT/grub.cfg
sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/BOOT/grub.efi /boot/efi/EFI/BOOT/grub.efi
sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/Linux/vmlinuz.efi /boot/efi/EFI/Linux/vmlinuz.efi

efibootmgr --create -l '/EFI/BOOT/grub.efi'

# grub.cfg
chainloader /EFI/Linux/vmlinuz.efi
boot

This setup boots, but grub does not check the signature of the UKI. It can also probably be convinced to dynamically load unsigned modules. What do I need to do in grub.cfg to allow proper Secure Boot without shim? Is this even a reasonable thing to do, or must I always use shim to properly populate the PCRs?

Apologies in advance if I have incorrect assumptions in the post. I'm still getting the hang of DPDK. Basically, I am trying to utilize DPDK on a Generation 2 Hyper-V VM that has Secure Boot enabled. On boot up of the Ubuntu-based VHD that DPDK runs on, I am seeing this in the dmesg logs:

[    0.000000] Kernel is locked down from command line; see man kernel_lockdown.7

Along with:

raw io port access is restricted; see man kernel_lockdown.7

Since DPDK is meant to bypass the kernel stack, my assumption for its poor performance/no traffic over the virtual function is due to this lockdown mode. Company policy requires Secure Boot to be enabled, so if anyone has advice or resources I could read to work towards a solution, that would be great.

How likely is it that disabling Secure Boot on a home computer running Linux would suffer from the advertised threat of > unauthorized code—such as bootkits and rootkits—from being executed > during the boot process? How would such animals get onto a home computer of which I am the only user? It seems unlikely to me that that would be a problem in my instance. **But maybe I am missing something?** I am interested in doing this because I would like to enable hibernation on this computer, which, because it has an nVidia GPU, cannot be reliably suspended. The computer has a swap partition and nvram rather than a hard disk, and I think the delays would be tolerable and less annoying than the frequent need to reboot.

I have a laptop with a damaged screen. I use it by connecting a screen via HDMI. I'm running some cryto mining software that requires MSR access to run efficiently. I cannot access the BIOS to disable secure boot. I cannot access the console to use mokutil. Help! Thanks in advance! :)

I am trying to build a tool to allow people to create network-bootable Linux environments. The primary use case is for mass deployment and configuration of end user devices. Most of these devices have Secure Boot enabled with the Microsoft CA. I am pre-supposing that my users will be unwilling to manually enroll another UEFI CA, or deal with all the physical presence stuff for MokManager on what will presumably be 100s or 1000s of devices. I've got the whole process working with Canonical-signed Ubuntu kernels. EFI verifies that the shim is signed by Microsoft, the shim verifies that the kernel is signed by Canonical, the kernel verifies that any modules are signed by Canonical. This works great for Ubuntu-based images, and that might be where I have to leave it. It would be nice though if I could support kernels from any distro, signed or unsigned. At first glance this seems like it is in direct opposition to what Secure Boot is trying to do, but I keep finding sources that indicate that Microsoft only cares about validating code executed before ExitBootServices is called. Indeed that article indicates Canonical's initial plans were to call ExitBootServices in the boot-loader before loading the kernel, relieving the boot loader of any further responsibility to verify code integrity and allowing unsigned kernels to be loaded with Microsoft's blessing. Is calling ExitBootServices early sufficient to get Microsoft's blessing? Are there any signed, not-revoked copies of GRUB that actually do this and allow loading unsigned kernels?

Currently, I try to understand how a measured boot is working and what components log what in which pcr of a tpm2. I have a test-setup with uefi-secure boot enabled and a tpm2 attached in a kvm virtualized machine. I compiled my own kernel with tpm support etc. tpm2_pcrread gives reasonable output. Now I want to look inside the events of the tpm. But there is no /sys/kernel/security/tpm0 and therefore no binary_bios_measurement. If I live boot from the ubuntu 23.10 iso, the file is present and can be read by tpm2_eventlog. So i take the kernel from ubuntu and booted the system with it, but also here, there is no /sys/kernel/security/tpm0. No my guess is, that i miss kernel module that exposes this. Or systemd in ubuntu creates this path. I do not find any documentation about this. I do not know how to find out where and who creates this path/file. Does someone know how to expose the binary_bios_measurement? PS. on my own linux I am using OpenRc and not systemd.

I'd like to be able to hibernate another one of my Debian/KDE machines because it's practical and I'd like to save some energy. I can't hibernate another one which has a swapfile and Secure Boot currently disabled. The machine runs Debian10/KDE, has Secure Boot enabled and currently doesn't have a swapfile but a swap-partition (which is larger than the RAM). The hard disk is fully encrypted. I already tried the following: * In the DE I went to Leave but unlike on my other machine there is no entry for "Hibernate". When I search for "Hibernate" the button appears but I can't right click it for more info and nothing happens when I click it. * Installing uswsusp and then running sudo s2disk. This returns:

s2disk: Could not open the snapshot device. Reason: Operation not permitted

* Installing hibernate and running sudo hibernate. This returns:

hibernate:Warning: Tuxonice binary signature file not found.  
    UdevQt: unhandlet device action "unbind"  
    UdevQt: unhandled device action "unbind"  
    UdevQt: unhandlet device action "bind"  
    UdevQt: unhandled device action "bind"

* Installing pm-utils and the executing sudo pm-hibernate. This returns nothing and nothing happens. * Running sudo systemctl hibernate.

Failed to hibernate system via logind: Sleep verb "hibernate" not supported

Searching syslog for "error" or "hibern" doesn't show anything. Is it because of security issues? I intend to change the swap-partition to a swapfile later. Hibernating with Secure Boot should be fine when the disk is fully encrypted.

Upon installing Nvidia drivers I was promoted to set up a MOK password or third party drivers may not work properly, so I created one. After reboot I was presented with a blue MOK management screen with a few options in it, the first one being continue boot. So I chose this and when boot was finished, my second monitor wasn't being recognized. Remembering reading something about secure boot when initially prompted about MOK, I booted into the BIOS and turned secure boot off. Now I have my second screen back. Several questions come to mind. 1. First, what is MOK? 2. Do I need it, and if not, how do I get rid of it? 3. Was losing recognition of my second screen due to installing Nvidia drivers, or setting up MOK? 4. Can I just keep secure boot off?

I am trying to boot a Linux kernel with efi stub enabled using Red Hat's Shim https://github.com/rhboot/shim . I can boot the system if I enroll the hash of my efi stub (selecting GRUBX64.EFI), but shim says the system is compromised when i enroll its certificate. I'd like to use a certificate so I can update without having to re-enroll. Error message on boot:

EFI stub: UEFI Secure Boot is enabled.
Bootloader has not verified loaded image.
System is compromised.  halting.

Shim version: 15.8-3, extracted from Fedora rpm (signed by Microsoft). Compiling Linux 6.9.7 (Buildroot) with EFI_STUB=y. Outputs bzImage. Adding SBAT using script from https://github.com/rhboot/shim/issues/376#issuecomment-1628004034 :

pe-add-sections.py -s .sbat sbat.csv -z .sbat -i bzImage -o bzImage.sbat

where sbat.csv:

sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md 
rescue,1,ABC,rescue,1,https://example.com 

Signing:

openssl req \
        -new -x509 -newkey rsa:2048 \
        -nodes -days 36500 -outform DER \
        -keyout "mok.priv" \
        -out "mok.der" \
        -subj "/CN=Rescue/"

openssl x509 -in mok.der -inform DER -outform PEM -out mok.pem

sbsign --key mok.priv --cert mok.pem --output bzImage.signed bzImage.sbat

Then using genimage (https://github.com/pengutronix/genimage) to create img:

# file genimage.cfg

image efi-part.vfat {
	vfat {
		file EFI/BOOT/BOOTX64.EFI {
			image = "shimx64.efi"
		}

		file EFI/BOOT/MMX64.EFI {
			image = "mmx64.efi"
		}

		file EFI/BOOT/GRUBX64.EFI {
			image = "bzImage.signed"
		}

		file MOK.DER {
			image = "mok.der"
		}
	}
	size = 16M
}

image disk.img {
	hdimage {
		partition-table-type = "gpt"
	}

	partition boot {
		image = "efi-part.vfat"
		partition-type-uuid = U
		offset = 32K
		bootable = true
	}
}

genimage -c genimage.cfg # Outputs disk.img

I have verified that GRUBX64.EFI isn't changed by genimage with sbverify --cert mok.pem GRUBX64.EFI Tested by writing to USB (dd ...) and booting on Surface Go 2, and in the following vm, with the same results:

#!/bin/bash

set -Eeuxo pipefail

MACHINE_NAME="test"
SSH_PORT="5555"
OVMF_CODE="/usr/share/OVMF/OVMF_CODE_4M.ms.fd"
OVMF_VARS_ORIG="/usr/share/OVMF/OVMF_VARS_4M.ms.fd"
OVMF_VARS="$(basename "${OVMF_VARS_ORIG}")"

if [ ! -e "${OVMF_VARS}" ]; then
        cp "${OVMF_VARS_ORIG}" "${OVMF_VARS}"
fi

qemu-system-x86_64 \
        -enable-kvm \
        -cpu host -smp cores=1,threads=1 -m 4096 \
        -object rng-random,filename=/dev/urandom,id=rng0 \
        -device virtio-rng-pci,rng=rng0 \
        -name "${MACHINE_NAME}" \
	-drive format=raw,file="disk.img" \
        -net nic,model=virtio -net user,hostfwd=tcp::${SSH_PORT}-:22 \
        -vga virtio \
        -machine q35,smm=on \
        -drive if=pflash,format=raw,unit=0,file="${OVMF_CODE}",readonly=on \
        -drive if=pflash,format=raw,unit=1,file="${OVMF_VARS}" \
        -global driver=cfi.pflash01,property=secure,value=on \
        $@

I have tried signing with pesign, but it didn't make a difference:

#!/usr/bin/env bash

mkdir db
certutil -d db -N --empty-password

efikeygen -d db \
  --self-sign \
  --nickname='Rescue' \
  --common-name='CN=Rescue,OU=xxx,O=xxx,C=US'

certutil -d db -L -n "Rescue" -r > mok.der
pesign --force -s -n db -c "Rescue" -i bzImage.sbat -o bzImage.signed

What am I doing wrong?

(The question was originally asking about all distributions, however I have achieved a result for one distribution, only) When running under UEFI Secure Boot with a current Linux distribution, "kernel lockdown" will be instated. Multiple kernel messages along the lines of Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7 may support the interpretation, that hibernation with UEFI Secure Boot is broken - this impression will be supported when reading the majority of Internet sources. This interpretation is _wrong_, though. That is why the message uses the word "restricted", as opposed to "disabled". It turns out, that patches for signed kernel/memory images to support kernel_lockdown have been developed since approx. 2011. LUKS encrypting at least the swap space, if not the full HD, can enable hibernation under lockdown, even at a high degree of automation when involving the TPM. Recommended reading: - https://en.opensuse.org/SDB:LUKS2,_TPM2_and_FIDO2 - https://www.tecmint.com/disk-encryption-in-linux/ Which main stream kernel version enables this? Which of the most professionally maintained distributions have patches in place, that enable hibernation under lockdown, and how can this be activated, then? The distributions in question could be RHEL and Clones, Debian (and Ubuntu), SLES/OpenSuse, however, it is not my intention to start a discussion what the "most professional" distribution is. If you know a preferably "simple" solution for any large user-base distribution, feel free to answer. I would like to find out whether something like injecting your own patch as proposed in https://unix.stackexchange.com/questions/693000/patching-the-kernel-to-allow-hibernation-with-secure-boot-enabled is really necessary on current distributions. I need a distribution-golfing site.

I wanted to ask about something happening on my Debian 12 machine. When I run journalctl as root I get this message: "Kernel is locked down from EFI Secure Boot; see man kernel_lockdown.7" I don't have secure boot enabled in bios, is this something else? I've been concerned about this machine for awhile now.

I need to install an custom OS to many similar/identical laptops. Would it work to live boot a laptop and dd the disk from a template laptop to the new one? Is it possible to trigger secure boot key enrolment afterwards?

Good evening, after searching on google I didn't find the answer to my question. When installing a distribution such as Ubuntu with secure boot activated, the installer creates a MOK key in the NVRAM which can be seen with ‘mokutil -l ’. Later, I decide to change distribution to Fedora, the installer will insert its own key in the NVRAM that I can see with ‘mokutil -l’ but the Ubuntu key is not visible from Fedora. Does this mean that each distribution creates its own database in NVRAM? Is it possible to see the previously installed keys of other distributions? To clean NVRAM of these old MOKs from old distributions? This is for security reasons, but also to save space. As the amount of NVRAM is very small, isn't there a risk that it will be full if you install frequently? Restoring the Secure Boot factory settings in the UEFI resets the PEK, KEK, DB and DBX keys but does not seem to remove the MOK keys in my case.

It’s a piece of cake to enable secure boot in a virtual machine, but I’m struggling to do the same with OpenSUSE on my 2012 vintage computer which refuses to boot in secure boot mode even in the standard configuration (with microsoft’s keys it seems). I’d like to troubleshoot the most critical part: Do the keys match between the firmware and the shim ? How to check that ?