{{Header}} {{#seo: |description=Information on Secure Boot and DKMS Signing Key (MOK Key) Enrollment to ensure kernel modules can be loaded on systems with Secure Boot enabled. |image=Secureboot12312.png }} {{boot_firmware}} [[File:Secureboot12312.png|thumb|200px]] {{intro| Information on Secure Boot and DKMS Signing Key (MOK Key) Enrollment to ensure kernel modules can be loaded on systems with Secure Boot enabled. }} = Introduction = Secure Boot is a feature designed to help protect your computer by allowing only trusted software to run during startup. It ensures that the system boots with software that hasn't been tampered with. However, in practice, Secure Boot has been criticized for acting as an anti-competitive tool by Microsoft, as it can prevent users from easily switching from Windows to alternative operating systems such as Linux. In practice, until a full [[Verified Boot]] gets implemented by a Freedom Software Linux desktop distribution, the security advantage is marginal. Technical details can be found on [[Dev/Secure Boot|Secure Boot (developers)]]. [[Miscellaneous_Threats_to_User_Freedom|User freedom restrictions]] are documented in chapter "[[Miscellaneous_Threats_to_User_Freedom#restricted_boot|restricted boot]]". = {{project_name_short}} Secure Boot Compatibility = {{project_name_short}} is compatible with computer hardware provider default (Microsoft) provided keys. Disabling Secure Boot is optional. However, if the user keeps Secure Boot enabled, DKMS key enrollment is recommended, which is documented below. = Rationale for DKMS Signing Key Enrollment = Without a DKMS Signing Key, the following functionality will be broken: * [https://www.kicksecure.com/?#explain-tirdad CPU Information Leak Protection (TCP ISN)] is implemented through the custom kernel module tirdad. * VirtualBox host operating system software. * Any other kernel modules not shipped by Debian. This is because, when Secure Boot is enabled, custom (non-mainline in Linux) kernel modules are rejected by the Linux kernel. = Symptoms = You will see a journal message if Secure Boot is disabled and an unsigned kernel module is being loaded.
tirdad: module verification failed: signature and/or required key missing - tainting kernel= Secure Boot DKMS Signing Key Enrollment = '''1.''' To import the MOK certificate, make sure
mokutil
is installed.
It is installed by default in {{project_name_short}}.
{{Install Package
|package=mokutil
}}
'''2.''' Check if Secure Boot is enabled:
{{CodeSelect|code=
sudo mokutil --sb-state
}}
Expected output:
SecureBoot enabledIf Secure Boot is not enabled, no further steps from this wiki chapter need to be applied. '''3.''' Import the DKMS MOK key. {{CodeSelect|code= sudo mokutil --import /var/lib/dkms/mok.pub }} '''4.''' Password entry. You'll be prompted to create a password. Enter it twice. '''5.''' Reboot the computer. {{CodeSelect|code= sudo reboot }} '''6.''' MOK Manager EFI interface. At boot, you'll see the MOK Manager EFI interface: [[File:mok-key-1.png|SHIM UEFI key management]] '''7.''' Press any key to enter it, then select "Enroll MOK": [[File:mok-key-2.png|Perform MOK management]] '''8.''' Then select "Continue": [[File:mok-key-3.png|Enroll MOK]] '''9.''' Confirm with "Yes" when prompted: [[File:mok-key-4.png|Enroll the key(s)?]] '''10.''' After this, enter the password you set up with
mokutil --import
in the previous step:
[[File:mok-key-5.png|Enroll the key(s)?]]
'''11.''' At this point, you are done. Select "OK," and the computer will reboot, trusting the key for your modules:
[[File:mok-key-6.png|Perform MOK management]]
'''12.''' After reboot, you can inspect the MOK certificates with the following command:
{{CodeSelect|code=
sudo mokutil --list-enrolled | grep DKMS
}}
Expected output:
Subject: CN=DKMS module signing key'''13.''' To check the signature on a built DKMS module that is installed on a system: {{CodeSelect|code= sudo modinfo dkms_test | grep ^signer }}
signer: DKMS module signing key'''14.''' Done. The module can now be loaded without issues. Credits: Based on https://github.com/dell/dkms?tab=readme-ov-file#secure-boot = Disable Secure Boot = == Disable Secure Boot using update-secureboot-policy == Secure Boot can be disabled using
update-secureboot-policy
.
This tool is available only for Debian-based distributions, such as Kicksecure and Whonix. For other Linux distributions, see the alternative below.
'''1.''' Choose one of these methods:
* '''A)''' Terminal-based graphical user interface: {{CodeSelect|code=
sudo update-secureboot-policy
}}
* '''B)''' Command-line interface: {{CodeSelect|code=
sudo update-secureboot-policy --disable
}}
'''2.''' Reboot your system.
'''3.''' Done.
== Disable Secure Boot in BIOS/UEFI ==
Alternatively, Secure Boot can be disabled using the firmware setup (BIOS/UEFI).
'''1.''' Restart your computer and enter the BIOS/UEFI settings.
'''2.''' Locate the Secure Boot option and disable it.
'''3.''' Save changes and exit.
'''4.''' Done.
= Errors =
== EFI variables are not supported on this system ==
If you see the following error message:
EFI variables are not supported on this systemIn this case, EFI is not enabled, which by extension means that Secure Boot is not enabled either. Therefore, it is unnecessary for the DKMS MOK key to be imported. No further user action is required. = Development = * [https://github.com/dell/dkms/issues/429 automate running "
sudo mokutil --import /var/lib/dkms/mok.pub
"]
= Other Projects on Secure Boot =
* https://www.qubes-os.org/faq/#is-secure-boot-supported
= See Also =
{{boot_firmware}}
= Footnotes=