Help test initial support for Secure Boot
The Debian Installer team is happy to report that the Buster Alpha 5
release of the installer includes some initial support for UEFI
Secure Boot (SB) in Debian’s installation media.
This support is not yet complete, and we would like to request
some help! Please read on for more context and instructions to help us
get better coverage and support.
On amd64 machines, by default the Debian installer will now boot (and
install) a signed version of the shim
package as the first stage
boot loader. Shim is the core package in a signed Linux boot chain on
Intel-compatible PCs. It is responsible for validating signatures on
further pieces of the boot process (GRUB and the Linux kernel),
allowing for verification of those pieces. Each of those pieces will
be signed by a Debian production signing key that is baked into the
shim
binary itself.
However, for safety during the development phase of Debian’s SB
support, we have only been using a temporary test key to sign our GRUB
and Linux packages. If we made a mistake with key management or trust
path verification during this development, this would save us from
having to revoke the production key. We plan on switching to the
production key soon.
Due to the use of the test key so far, out of the box Debian will
not yet install or run with SB enabled; Shim will not validate
signatures with the test key and will stop, reporting the
problem. This is correct and useful behaviour!
Thus far, Debian users have needed to disable SB before installation
to make things work. From now on, with SB still disabled, installation and
use should work just the same as previously. Shim simply chain-loads
GRUB and continues through the boot chain without checking signatures.
It is possible to enrol more keys on a SB system so that shim will
recognise and allow other signatures, and this is how we have been
able to test the rest of the boot chain. We now invite more users to
give us valuable test coverage on a wider variety of hardware by
enrolling our Debian test key and running with SB enabled.
If you want to help us test our Secure Boot support, please follow
the
instructions in the Debian wiki
and provide feedback.
With help from users, we expect to be able to ship fully-working and
tested UEFI Secure Boot in an upcoming Debian Installer release and in
the main Buster release itself.