28
votes
What exactly is MOK in Linux for?
ad 1)
MOK (Machine Owner Key) is about securing the boot process by only allowing approved OS components and drivers to run. MOK must be implemented by the "BIOS" - or some startup code ...
- 9,276
19
votes
Accepted
Why does the kernel lockdown prevent hibernation?
As mentioned in the manpage,
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a medium that can then be accessed.
Unencrypted hibernation stores the contents of ...
- 481k
11
votes
What exactly is MOK in Linux for?
ad 3)
with Secure Boot in effect, only kernel modules with valid signatures will be allowed. As the MOK installation process was not actually completed, the signature check on the Nvidia modules ...
- 114k
8
votes
Accepted
LUKS + TPM2 + PIN
2022-05-21 - systemd v251
Support for TPM2 + PIN has been merged in systemd-cryptenroll and is available as part of release v251.
Changes in disk encryption:
systemd-cryptenroll can now control ...
5
votes
Accepted
Signing a compressed kernel module for use with Secure Boot
You can unpack the compressed module, sign it, and re-compress it
unxz zfs.ko.xz
sign-file sha1 "${key}" "${x509}" "zfs.ko"
xz -f zfs.ko
or a bit more general (I use this for evdi, inspired by https:/...
- 411
5
votes
Accepted
Should I disable secure boot to install arch linux
For installing it you will need to disable Secure Boot in the BIOS, but after installation you can re-enable it if you want.
- 186
5
votes
Accepted
How can Linux hibernation be enabled under UEFI Secure Boot with kernel lockdown on OpenSuSE?
Meanwhile I can state for OpenSuse 15.3 and 15.4 that this is definitely possible, with a varying degree of comfort, mostly centered around either manual password entry and automatic decryption via ...
- 319
4
votes
Why I can't load signed VirtualBox kernel modules in Debian with SecureBoot enabled?
I had the same issue following the same procedure and couldn't figure out why it wasn't working, then i realized that the issue was running again vboxconfig after signing the modules since it would ...
- 41
4
votes
Accepted
"Enroll MOK" dialog after the 1-st reboot when you install Linux Mint 20.1 - what is it for (secure boot)?
1. What is the initial "Continue boot" or "Enroll MOK" dialog that appears when you install Mint and reboot for the first time?
That is produced by shimx64.efi when it detects that ...
- 114k
4
votes
Accepted
Does secure boot + shim protect against evil maid?
Secure boot does not in itself protect against an attacker with physical access to the machine. I recommend using a password to protect against unauthorized access to the firmware setup. The primary ...
- 13.7k
4
votes
Arch Linux and secure boot issues
In addition to the signed shim, you'll also need its companion MokManager program, mmx64.efi to be present in the same directory as the shim-named-as-BOOTx64.efi.
Now, when the shim finds nothing it ...
- 114k
4
votes
How do I install Linux when I cannot disable Secure Boot?
Secure Boot Violation. Invalid signature detected. Check Secure Boot Policy in Setup.
Says that your boot loader is signed, but not with a key that your machine accepts. This is exactly the purpose ...
- 51.5k
4
votes
Accepted
About Secure Boot, MOK and NVRAM
The concept of MOK is not officially part of Microsoft's Secure Boot. It's implemented by Shim, a special loader that actually overrides the firmware's Secure Boot handling – it has its own signature ...
- 15.2k
3
votes
Accepted
Keyboard does not work in MokManager during key enrollment
TLDR: Enter BIOS, this enabled the keyboard in MOK Manager for me. You don't need to change any setting there, you can directly exit it after entering it.
I had the same problem after installing Linux ...
- 146
3
votes
Accepted
When I run mokutil, I get Failed to enroll new keys
The answer was very simply, run it as root
sudo mokutil --import MOK.der
- 35.1k
3
votes
Accepted
UEFI Self-Signed Kernel loading from a Microsoft Signed OS Loader
Your OS Loader needs to include a copy of the public part (a.k.a. the certificate) of the key you'll be using to sign your own kernel. Any time that key changes, you will need to have your OS Loader ...
- 114k
3
votes
Accepted
Patching the kernel to allow hibernation with secure-boot enabled
The lockdown LSM module is what disables hibernation, and there is a kernel compile flag for this called CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT, set it to no and it won't enable lockdown in when EFI ...
- 146
3
votes
Patching the kernel to allow hibernation with secure-boot enabled
Here's a patch I quickly wrote and have been using:
https://gist.github.com/kelvie/917d456cb572325aae8e3bd94a9c1350
I also ran into this setting up my Framework laptop with almost the same setup.
I ...
- 31
3
votes
Accepted
What is this update exactly designed for? (new BIOS?)
These are UEFI revocation list updates; they revoke signatures used for Secure Boot.
Since you don’t use Secure Boot they are irrelevant for you. Since UEFI capsule updates are disabled you probably ...
- 481k
3
votes
Accepted
Is there a downside to a signed kernel?
If Secure Boot is disabled, the signature on a signed kernel isn’t used, and it behaves like an unsigned kernel.
There are no incompatibilities, and you can load modules without signing them.
See ...
- 481k
2
votes
Should I disable secure boot to install arch linux
You should disable the secure boot.
Booting an install media
Note: The official installation image does not support Secure Boot (FS#53864). To successfully boot the installation medium you will need ...
- 69.9k
2
votes
Accepted
Can I require binary X to be booted only by a bootloader signed with key Y?
If I include Microsoft's keys in my secure boot setup, then any malware which has a Microsoft key can boot my Linux binary. Can I restrict my Linux binary to be booted only by a bootloader signed with ...
2
votes
Why does the kernel lockdown prevent hibernation?
In hibernation it would be "easy" to modify the unsigned swap space, or to extract secrets from the unencrypted swap space, thus circumventing the lockdown.
However, contrary to lots of ...
- 319
2
votes
LUKS + TPM2 + PIN
There is currently no support for two-factor authentication when opening a LUKS device. However, there will probably be at some point in the future.
LUKS itself doesn’t have any notion of needing two “...
- 481k
2
votes
"Enroll MOK" dialog after the 1-st reboot when you install Linux Mint 20.1 - what is it for (secure boot)?
on my installation there is no such command update-secureboot-policy
On my Ubuntu system that command is in the shim-signed package.
- 21
2
votes
How to verify signed UEFI binaries?
This is not an answer but a comment which I'd like to add anyways because I believe it's relevant.
The Secure boot EFI mechanism only verifies binaries and libraries (e.g. executable code) signatures ...
- 32.9k
2
votes
Accepted
Can't load self-signed kernel with Secure Boot on: "bad shim signature"
MOK.pem is generated on Ubuntu/Debian systems with extended usage attributes set to support kernel module signing only. That certificate is not usable to sign UEFI bootloaders or kernels as needed to ...
- 146
2
votes
Accepted
Operating System Loader signature found in SecureBoot exclusion database ('dbx'). All bootable devices failed Secure Boot verification
In mid-2020, a security vulnerability known as CVE-2020-10713 or BootHole was found. It affected just about all distributions that used GRUB2 with Secure Boot and had the GRUB acpi module included in ...
- 114k
2
votes
Puppy Linux secure boot key
Tested on FossaPup64 9.5. It's all broken.
Puppy Linux uses old Debian's shim + their own GRUB. Debian's shim allow to run any non-Debian .efi executables, but for that the custom signing key should ...
- 181
2
votes
Accepted
MOKutil: Enroll key of already installed driver
You don't enroll a specific signature; you enroll the (public part of the) key you use to make the signatures. Usually (= unless you take over the control of the entire Secure Boot key hierarchy on ...
- 114k
Only top scored, non community-wiki answers of a minimum length are eligible