Skip to main content

Switching to Secure-Boot in Debian

open-chain-castle-close-security-padlock-1356005-pxhere.com.jpg

My main desktop machine is an AMD Ryzen-2400G on an ASUS PRIME B350M-A motherboard. It came with secure boot disabled and I immediately installed Debian on it. Back in beginning of 2019 Debian stable was 10, i.e. Buster and based on an 4.19 kernel. I knew that the integrated Radeon Vega GPU of this SoC required a more recent kernel, so I used Debian testing (to become Bullseye) right from the beginning. It took me a little bit of fiddling until the two monitors worked correctly, but after that it became my main machine.

I did read about enabling Secure Boot back then, but it seemed the implementation for GNU/Linux systems had not been defined properly and so I left it disabled until recently.

dzu@krikkit:~$ sudo -i
root@krikkit:~# mkdir -p /var/lib/shim-signed/mok
root@krikkit:~# cd /var/lib/shim-signed/mok
root@krikkit:/var/lib/shim-signed/mok# openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=Detlev Zundel/"
....+...........+.+..+.+..+...+....+.................+...............+......+............+...+...+.+.........+..+....+.....+.+........+......+...+...+.......+...+.........+......+...+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+....+..+....+.....+...+.+.....+....+...+..+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+..+.............+......+.....+....+..+...+..........+..+...+....+..+.+...+.....+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+.+...............+........+................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
root@krikkit:/var/lib/shim-signed/mok# openssl x509 -inform der -in MOK.der -out MOK.pem
root@krikkit:/var/lib/shim-signed/mok# mokutil --import MOK.der
input password: 
input password again: 
root@krikkit:/var/lib/shim-signed/mok# mokutil --list-new
[key 1]
SHA1 Fingerprint: 01:a0:f6:64:31:b6:b8:6e:78:61:29:27:57:c5:af:1f:c8:1f:e7:d4
Certificate:
    Data:
	Version: 3 (0x2)
	Serial Number:
	    3c:65:a3:6f:71:a4:cd:8c:6d:04:49:03:cb:11:84:5a:96:b7:5b:0a
	Signature Algorithm: sha256WithRSAEncryption
	Issuer: CN=Detlev Zundel
	Validity
	    Not Before: Aug 19 22:15:05 2022 GMT
	    Not After : Jul 26 22:15:05 2122 GMT
	Subject: CN=Detlev Zundel
	Subject Public Key Info:
	    Public Key Algorithm: rsaEncryption
		Public-Key: (2048 bit)
		Modulus:
		    00:a9:19:d6:90:c6:63:b8:4a:b2:4b:2a:bc:66:e1:
		    54:fc:0e:df:3e:19:aa:57:2c:e7:52:aa:64:ad:ae:
		    48:9d:5e:76:40:f9:98:05:2d:fb:2a:22:7c:59:65:
		    15:3a:da:4e:24:90:24:8c:32:fe:c7:47:d3:53:2f:
		    a0:db:5d:b8:02:63:cf:18:e5:c6:c0:82:f1:cf:d4:
		    dc:c1:84:d9:a9:a2:1b:d6:65:2c:cd:58:44:a6:e4:
		    f0:37:86:64:1d:9f:ad:7a:49:29:ec:29:20:54:8d:
		    e7:b8:b2:e9:34:d5:f7:5f:06:8e:be:08:a2:6c:6d:
		    f6:bf:0c:81:dc:97:e9:f6:b8:8d:77:96:c1:5a:16:
		    fb:38:a6:cc:6c:c7:69:67:36:6a:af:5f:27:c5:fc:
		    aa:9b:16:75:8f:ff:d4:55:e6:d7:1d:79:f1:b2:15:
		    2b:53:a5:03:f3:16:45:3d:78:3f:20:89:09:b3:db:
		    34:4d:00:c2:e6:8f:fd:8c:00:5a:20:1c:13:aa:ba:
		    7f:69:ab:18:30:3b:8e:58:17:2d:9a:8d:5d:da:5c:
		    89:61:ef:03:46:78:6e:a6:3f:4a:50:85:a6:3f:a7:
		    a4:c8:55:a3:60:d5:28:d7:92:b7:ca:94:a1:82:9b:
		    d8:c9:9f:7e:11:4c:e4:86:31:d7:78:3f:76:d6:dc:
		    3a:f7
		Exponent: 65537 (0x10001)
	X509v3 extensions:
	    X509v3 Subject Key Identifier: 
		EC:8A:FD:29:F8:74:D7:41:C5:ED:3C:C9:41:62:B6:FD:C1:B7:58:55
	    X509v3 Authority Key Identifier: 
		EC:8A:FD:29:F8:74:D7:41:C5:ED:3C:C9:41:62:B6:FD:C1:B7:58:55
	    X509v3 Basic Constraints: critical
		CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
	a1:07:ea:50:a6:16:06:d8:1f:0c:c2:d7:18:a6:b3:4a:7c:e2:
	e3:82:1b:7f:c6:22:c2:75:0f:15:1e:9a:94:2b:3f:3d:0e:8f:
	fd:ab:70:b8:13:fd:c2:44:20:59:28:39:b3:ab:37:31:0b:88:
	f7:82:43:27:07:6e:a5:a5:85:0a:24:d5:63:d0:7e:ee:a0:ec:
	e3:38:af:a1:83:ee:ce:18:ec:0e:18:77:38:f9:2b:07:f7:ed:
	f6:fe:fe:69:fe:ba:09:fd:b6:65:f3:ac:a2:39:e7:32:50:96:
	5f:79:bd:ed:7e:f1:36:c2:75:6e:0b:a9:f3:11:45:8c:10:4b:
	42:4b:e7:5e:4e:f5:90:a4:1d:ed:e4:f1:50:53:b1:65:15:d8:
	6b:a7:6a:46:b7:69:0f:8a:b4:7f:d0:d3:2e:47:88:af:4e:1c:
	e4:a7:99:0c:22:f5:27:7f:a3:57:8d:0b:cb:f2:85:a4:a5:d9:
	49:50:94:20:2e:70:41:e1:8f:1a:ec:da:5a:a2:68:fc:aa:05:
	85:09:89:a0:b3:80:f0:4e:f8:3e:08:a2:c6:4e:16:b4:81:b2:
	0f:24:d5:89:fb:7a:c9:25:97:d2:86:69:12:6b:9b:5c:1b:a4:
	5d:fb:eb:fa:0e:b0:35:b5:51:29:0c:7c:36:70:1b:83:d7:78:
	66:38:2a:b6
root@krikkit:/var/lib/shim-signed/mok# 

Comments

Comments powered by Disqus