Linux Mint (but also Ubuntu) - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT

linux22
  4 weeks ago
  0

Linux Mint (but also Ubuntu) - How to enable UEFI Secure Boot with your own
Custom keys on PC with UEFI & HDD with GPT

Author: Naldi Stefano (linux22 at Mint Forum)

First release: April 2017

Version 1.4


Last update: 11 August 2020

 

Hits since April 2017   website counter widget 

 

_____________________________________

 

This tutorial replace my old one at  https://community.linuxmint.com/tutorial/view/2360  because malfunctioning and not updatable anymore.

 

_____________________________________

 

 

Other tutorials concerning Linux Mint with Full Disk Encryption, directory /boot included:

 

 


Table of contents

 

GNU Free Documentation License

GNU GENERAL PUBLIC LICENSE

Disclaimer and acknowledgments

Useful links

How to enable UEFI Secure Boot with your own Custom keys

     Step 1 - How to enable PC UEFI Secure Boot and put Secure Boot in Standard Mode

     Step 2 - How to install Linux Mint FDE

     Step 3 - How to enable PC UEFI Secure Boot, put Secure Boot in Custom Mode and Clear Secure Boot Data

     Step 4 - How to create, enroll and activate your Secure Boot own Custom keys in your PC UEFI platform

     Step 5 - How to sign and verify your booting files grubx64.efi and Bootx64.efi

     Step 6 - Restart your PC UEFI with Secure Boot enabled in Custom Mode

     Appendix A - How to set up your Custom keys and Microsoft keys together

             Method 1 - Using the original Microsoft UEFI Secure Boot certificates of your PC UEFI platform

             Method 2 - Using the original Microsoft UEFI Secure Boot certificates, downloaded from Microsoft repositories

     Appendix B - How to run VirtualBox with Secure Boot enabled signing its modules with your own Custom keys

 

 

 

GNU Free Documentation License
Version 1.3, 3 November 2008

Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader

Copyright (C)  2019  2020  Naldi Stefano.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

You should have received a copy of the "GNU Free Documentation License" along with this document.

If not, see < https://www.gnu.org/licenses/fdl.html >.


GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader

Copyright (C)  2019  2020  Naldi Stefano

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the "GNU General Public License" along with this program.

If not, see < https://www.gnu.org/licenses/gpl.html >.

 

Disclaimer and acknolegments


I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with UEFI Secure Boot enabled. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 20.X, 19.X and 18.X (Cinnamon and Mate) and Ubuntu 16.X, 17.X, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.
This tutorial is devoted to a real and hard problem, dealing with UEFI Secure Boot while running a non Windows operating system. Almost every computer sold today has UEFI and Secure Boot capability but its default configuration is done for Windows operating systems, like 8.1 and 10.
Here I expose my solution for enabling UEFI Secure Boot on a computer running Linux Mint and also with Full Disk Encryption. This solution provides a full set of Custom Keys (PK, KEK and db) generated by the user (the commands are extracted from 'cryptboot' package, developed by Michal Krenek 'Mikos' on https://github.com/xmikos/cryptboot). With this configuration you can reach the full control of your computer but you will be unable to install a Windows o.s. like 8.1 or 10 while Secure Boot is enabled, unless you decide to reinstall the Microsoft keys (in this case see Appendix A).
My first advice, if you want to install this solution, is that you MUST be familiar with UEFI configuration and with Secure Boot behaviour. My second advice, before attemping to try and install this solution, is that you become familiar with your PC UEFI Firmware Secure Boot configuration parameters and learn how to set them correctly and eventually how to restore the original standard keys (usually there is a specific command that restore Secure Boot in Standard Mode).
I want to thank Michal Krenek (Mikos) for its 'cryptboot' software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation. Altought this package seems developed for ArchLinux we can find within it the rights commands and advices for almost every Linux distribution.
I have tested this solution with Mint 18 and Ubuntu 16.04 only.
As I always state it is better to try this solution with a virtual machine but in this case the only one supporting UEFI Secure Boot emulation for Linux is QEMU/KVM. I have tested this solution with QEMU/KVM and firmware OVMF simulating UEFI with Secure Boot enabled. At the moment it seems working smoothly.
The solution here described require a lot of terminal commands. If the user make a mistake and commit a wrong command he can damage/cancel the software structure of your PC UEFI firmware and HDD. So, if you commit the commands listed in this guide/tutorial using 'Copy' and 'Paste' pay attention to do not alter them.

 

Useful links

 

 

 

The topic for this tutorial at the Mint Forum is:

https://forums.linuxmint.com/viewtopic.php?t=198077

 

 

You can download the latest version of this tutorial in pdf format from my cloud storage at the link below:

Linux Mint (but also Ubuntu) - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT - Version 1.4