how to setup Linux Mint with secure boot enabled.

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
Post Reply
martyfender
Level 1
Level 1
Posts: 45
Joined: Thu Aug 03, 2017 12:22 am

how to setup Linux Mint with secure boot enabled.

Post by martyfender » Sun Sep 08, 2019 10:11 pm

I don't have a UEFI bios computer, but I am considering upgrading to a new one in the future and would like to know how to setup Linux Mint with secure boot enabled. I found this guide for Mint to add the EFI key.

https://community.linuxmint.com/tutorial/view/2061

I don't want to do full disk encryption, but would like to import the EFI keys. Is this the way to do it, or are there simpler methods to do this? I do know it would be simpler to disable secure boot in the UEFI bios, but would it be better to import the keys to keep it enabled?

Thanks
Last edited by Pierre on Tue Sep 10, 2019 9:28 am, edited 1 time in total.
Reason: Split this Topic, away as it's another issue.

athi
Level 6
Level 6
Posts: 1300
Joined: Sun Mar 30, 2014 10:15 am
Location: USA

how to setup Linux Mint with secure boot enabled.

Post by athi » Sun Sep 08, 2019 10:44 pm

That is a long tutorial, not really sure where the EFI key importation is on that document. The basic is that when Mint is installed on UEFI enabled system, it will create a folder named Ubuntu (Mint is Ubuntu based) in the EFI partition with several files (shimx64.efi, grubx64.efi, and MokManager.efi) of which grubx64.efi is the Mint EFI key. After installation, you will enter UEFI setup and import Mint grubx64.efi into the secure boot allowable key database. This will make the Mint grubx64.efi key a trusted key and allow Mint to boot with secure boot enabled. The actual steps are different due to lack of standardization in UEFI implementation but the basic steps are the same. FYI, since secure boot only prevent booting of unauthorized O/S and not prevent installation of O/S, you can install Mint with secure boot enabled.

As far as keeping secure boot enabled or not, secure boot is not required for Mint operation so I see no need for secure boot.
Mint Mate 19.1. Main rig is HP 800G2 I5 6500 16GB ram, 120GB boot drive, 2x3TB, 1x4TB data drives. Oldest rig is Mate 18.3 on Dell D620 with 32bits core duo.


User avatar
Sir Charles
Level 7
Level 7
Posts: 1897
Joined: Thu Jan 04, 2018 1:00 pm

Re: how to setup Linux Mint with secure boot enabled.

Post by Sir Charles » Tue Sep 10, 2019 10:14 am

A web search on "secure boot compatible linux distribution" comes up with:
https://duckduckgo.com/?q=secure+boot+c ... fsb&ia=web
You might be interested to have a look.
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

fabien85
Level 7
Level 7
Posts: 1544
Joined: Tue Mar 11, 2014 4:30 pm

Re: how to setup Linux Mint with secure boot enabled.

Post by fabien85 » Tue Sep 10, 2019 1:09 pm

Ubuntu (on which Mint is based) is fully compatible with the Secure Boot specification.
So if the manufacturer did its job correctly (which some do not do, more on that later), then the install will just work with default Secure Boot active. Nothing particular to be done.

In details: on the EFI partition, ubuntu-based distros put their bootloader on EFI/ubuntu/ as athi said. in there, shimx64.efi is a signed binary which is secure boot compatible. It is signed with the Microsoft third party key which is normally stored in secure boot implementation (except for a few buggy manufacturers). Shim then checks that grubx64.efi is correctly signed by Canonical (the company producing Ubuntu) and if so it loads it. Then grub starts the bootloading, checks that the linux kernel is also signed by Canonical, and if so it gives control to the kernel.

An exception is Acer laptops. For them, after install you should be greeted by a black screen or a message "no bootable device". You then have to go in the firmware interface / BIOS, find the secure boot area, use "Select UEFI file as trusted for executing", navigate the EFI partition and choose EFI/ubuntu/shimx64.efi (you could also choose grubx64.efi, but grub is updated more frequently than shim and you will have to do the manipulation after each update).
Reference: https://itsfoss.com/no-bootable-device-found-ubuntu/

If you want to control completely secure boot yourself, e.g. get rid of the Microsoft keys stored in the NVRAM, put your own keys etc, then that's a whole other story. It's much more complex, newbye-unfriendly, and it depends a lot on what interfaces your manufacturer provides and whether or not they have bugs. You could read the following two references to start with:
https://www.rodsbooks.com/efi-bootloade ... eboot.html
https://www.rodsbooks.com/efi-bootloade ... ng-sb.html

User avatar
Pjotr
Level 21
Level 21
Posts: 13248
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: how to setup Linux Mint with secure boot enabled.

Post by Pjotr » Tue Sep 10, 2019 1:15 pm

Don't be misled by the name of the thing. Disabling Secure Boot is no loss: it adds no meaningful security anyway. It's primarily a means for Microsoft to enforce its vendor lock-in on your computer... :wink:
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Post Reply

Return to “Installation & Boot”