Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Information on Secure Boot and DKMS Signing Key (MOK Key) Enrollment to ensure kernel modules can be loaded on systems with Secure Boot enabled.

Introduction[edit]

Secure Boot is supposed to be a hardware feature that helps protect your computer by only allowing trusted software to run during startup. It ensures that the system boots with software that hasn't been tampered with.

Kicksecure Secure Boot Compatibility[edit]

Kicksecure is compatible with computer hardware provider default (Microsoft) provided keys. Disabling Secure Boot is optional. However, if the user keeps Secure Boot enabled, then DKMS key enrollment is recommended, which is documented below.

Rationale for DKMS Signing Key Enrollment[edit]

Without DKMS Signing Key the following functionality will be broken:

• CPU Information Leak Protection (TCP ISN) is implemented through custom kernel module tirdad.
• VirtualBox host operating system software.
• Any other kernel modules not shipped by Debian.

This is because when Secure Boot is enabled, custom (non-mainline in Linux) kernel modules are rejected by the Linux kernel.

Secure Boot DKMS Signing Key Enrollment[edit]

1. For importing the MOK certificate make sure mokutil is installed.

It is installed by default in Kicksecure.

2. Check if Secure Boot is enabled:

sudo mokutil --sb-state

Expected output:

SecureBoot enabled

If Secure Boot is not enabled, no further steps from this wiki chapter need to be applied.

3. Import DKMS Mok key.

sudo mokutil --import /var/lib/dkms/mok.pub

4. Password entry.

You'll be prompted to create a password. Enter it twice.

5. Reboot the computer.

sudo reboot

6. MOK Manager EFI interface.

At boot you'll see the MOK Manager EFI interface:

7. Press any key to enter it, then select "Enroll MOK":

8. Then select "Continue":

9. And confirm with "Yes" when prompted:

10. After this, enter the password you set up with mokutil --import in the previous step:

11. At this point you are done, select "OK" and the computer will reboot trusting the key for your modules:

12. After reboot, you can inspect the MOK certificates with the following command:

sudo mokutil --list-enrolled

Expected output:

        Subject: CN=DKMS module signing key

13. To check the signature on a built DKMS module that is installed on a system:

sudo modinfo dkms_test

signer:         DKMS module signing key

14. Done.

The module can now be loaded without issues.

Credits: Based on https://github.com/dell/dkms?tab=readme-ov-file#secure-boot

Disable Secure Boot[edit]

Disable Secure Boot using update-secureboot-policy[edit]

Secure Boot can be disabled using update-secureboot-policy.

This is tool is available only for Debian-based distributions. This includes for example Kicksecure and Whonix. For other Linux distributions, see alternative below.

1. Choose one of these methods:

• A) Terminal-based graphical user interface: sudo update-secureboot-policy
• B) Command-line interface: sudo update-secureboot-policy --disable

2. Reboot your system.

3. Done.

Disable Secure Boot in BIOS/UEFI[edit]

Alternatively, Secure Boot can be disabled using the firmware setup (BIOS/UEFI).

1. Restart your computer and enter the BIOS/UEFI settings.

2. Locate the Secure Boot option and disable it.

3. Save changes and exit.

4. Done.

Errors[edit]

EFI variables are not supported on this system[edit]

If you see the following error message.

EFI variables are not supported on this system

In this case, EFI is not ealbed which by exnteino means that Secure Boot is not enabled either. Therefore it is unnecessary for the DKMS MOK key to imported. No further user action is required.

Development[edit]

• automate running "sudo mokutil --import /var/lib/dkms/mok.pub"

Other Projects on Secure Boot[edit]

• https://www.qubes-os.org/faq/#is-secure-boot-supported

See Also[edit]

Footnotes[edit]

---

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012-2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!