{{Header}}
{{#seo:
|description=Information on Secure Boot and DKMS Signing Key (MOK Key) Enrollment to ensure kernel modules can be loaded on systems with Secure Boot enabled.
}}
{{boot_firmware}}
{{intro|
Information on Secure Boot and DKMS Signing Key (MOK Key) Enrollment to ensure kernel modules can be loaded on systems with Secure Boot enabled.
}}
= Introduction =
Secure Boot is supposed to be a hardware feature that helps protect your computer by only allowing trusted software to run during startup. It ensures that the system boots with software that hasn't been tampered with.

= {{project_name_short}} Secure Boot Compatibility =
{{project_name_short}} is compatible with computer hardware provider default (Microsoft) provided keys. Disabling Secure Boot is optional. However, if the user keeps Secure Boot enabled, then DKMS key enrollment is recommended, which is documented below.

= Rationale for DKMS Signing Key Enrollment =
Without DKMS Signing Key the following functionality will be broken:

* [https://www.kicksecure.com/?#explain-tirdad CPU Information Leak Protection (TCP ISN) is implemented through custom kernel module tirdad.]
* VirtualBox host operating system software.
* Any other kernel modules not shipped by Debian.

This is because when Secure Boot is enabled, custom (non-mainline in Linux) kernel modules are rejected by the Linux kernel.

= Secure Boot DKMS Signing Key Enrollment =

'''1.''' For importing the MOK certificate make sure <code>mokutil</code> is installed.

It is installed by default in {{project_name_short}}.

{{Install Package
|package=mokutil
}}

'''2.''' Check if Secure Boot is enabled:

{{CodeSelect|code=
sudo mokutil --sb-state
}}

Expected output:

<pre>
SecureBoot enabled
</pre>

If Secure Boot is not enabled, no further steps from this wiki chapter need to be applied.

'''3.''' Import DKMS Mok key.

{{CodeSelect|code=
sudo mokutil --import /var/lib/dkms/mok.pub
}}

'''4.''' Password entry.

You'll be prompted to create a password. Enter it twice.

'''5.''' Reboot the computer.

{{CodeSelect|code=
sudo reboot
}}

'''6.''' MOK Manager EFI interface.

At boot you'll see the MOK Manager EFI interface:

[[File:mok-key-1.png|SHIM UEFI key management]]

'''7.''' Press any key to enter it, then select "Enroll MOK":

[[File:mok-key-2.png|Perform MOK management]]

'''8.''' Then select "Continue":

[[File:mok-key-3.png|Enroll MOK]]

'''9.''' And confirm with "Yes" when prompted:

[[File:mok-key-4.png|Enroll the key(s)?]]

'''10.''' After this, enter the password you set up with <code>mokutil --import</code> in the previous step:

[[File:mok-key-5.png|Enroll the key(s)?]]

'''11.''' At this point you are done, select "OK" and the computer will reboot trusting the key for your modules:

[[File:mok-key-6.png|Perform MOK management]]

'''12.''' After reboot, you can inspect the MOK certificates with the following command:

{{CodeSelect|code=
sudo mokutil --list-enrolled | grep DKMS
}}

Expected output:

<pre>
        Subject: CN=DKMS module signing key
</pre>

'''13.''' To check the signature on a built DKMS module that is installed on a system:

{{CodeSelect|code=
sudo modinfo dkms_test | grep ^signer
}}

<pre>
signer:         DKMS module signing key
</pre>

'''14.''' Done.

The module can now be loaded without issues.

Credits: Based on https://github.com/dell/dkms?tab=readme-ov-file#secure-boot

= Disable Secure Boot =
== Disable Secure Boot using update-secureboot-policy ==
Secure Boot can be disabled using <code>update-secureboot-policy</code>.

This is tool is available only for Debian-based distributions. This includes for example Kicksecure and Whonix. For other Linux distributions, see alternative below.

'''1.''' Choose one of these methods:

* '''A)''' Terminal-based graphical user interface: {{CodeSelect|code=
sudo update-secureboot-policy
}}
* '''B)''' Command-line interface: {{CodeSelect|code=
sudo update-secureboot-policy --disable
}}

'''2.''' Reboot your system.

'''3.''' Done.

== Disable Secure Boot in BIOS/UEFI ==
Alternatively, Secure Boot can be disabled using the firmware setup (BIOS/UEFI).

'''1.''' Restart your computer and enter the BIOS/UEFI settings.

'''2.''' Locate the Secure Boot option and disable it.

'''3.''' Save changes and exit.

'''4.''' Done.

= Errors =
== EFI variables are not supported on this system ==
If you see the following error message.

<pre>
EFI variables are not supported on this system
</pre>

In this case, EFI is not ealbed which by exnteino means that Secure Boot is not enabled either. Therefore it is unnecessary for the DKMS MOK key to imported. No further user action is required.

= Development =
* [https://github.com/dell/dkms/issues/429 automate running "<code>sudo mokutil --import /var/lib/dkms/mok.pub</code>"]

= Other Projects on Secure Boot =
* https://www.qubes-os.org/faq/#is-secure-boot-supported

= See Also =
{{boot_firmware}}

= Footnotes=
<references/>
{{Footer}}
[[Category: Documentation]]