I have been quite successful over the years dual booting Debian & Windows on the same drive and on different drives even before Woody. This time, there are a host of maladies arising from Secure Boot.

If secure boot is disabled everything is fine.

However, one of the situations involves the Cherry (or APC) PS/2 Keyboard/Trackpad during installation and use with Secure Boot enabled in BIOS. If I try to use the trackpad, it locks the keyboard. A USB keyboard/mouse can solve this, however, this is not desirable. It carries over after installation as well. I have no idea why this is not working.

Additionally, with secure boot enabled, the Nvidia drivers are a total nightmare and aren't loaded. Why isn't the Nvidia driver signed in the first place? Don't answer, counter productive; purely rhetorical. Anyway, I've tried using the information found in https://wiki.debian.org/SecureBoot as a guide. Everything proceeds well, even through the BIOS interaction (Z590 Dark); however, upon reboot, the module is not loaded. The verification process provided just adds more evidence that it isn't loaded along with lsmod.

I can install Debian the way I would like even getting past all the non-free firmware and local time debacles; however, I am stumped with the Nvidia drivers. Disabling Secure Boot does in fact fix the issue; however, again, this is not ideal.

I'd really like to understand this process for not only now but the future.

I am really fishing to find if I can get some support before posting a bunch of stuff.

I can have a system up in about 20mins or so, but really need help.

One question, why are there elevated and regular prompts mixed when using https://wiki.debian.org/SecureBoot ?

If I install, are there any out there willing to help me understand this process and get it working?

I have no idea about certificates and all that. I can generate the 2048 key... Upon reboot, boom!

I have made backups of the Windows drive including the system partition, so am unafraid of making mistakes. The BIOS implementation is garbage compared to the ASUS Z590's. It is so cryptic.

Anyway, any takers?

Why isn't this automated anyway?

I suspect it's because the private key is stored in that directory alongside the public one, so only root should have access when creating the key pair.

The documentation page has errors. How do I submit a report to Debian about documentation? I do see that page was updated some time ago.

I'd have to resize screenshots that highlight the difficulties and post captions for each.

Anyway, why doesn't Debian include in the prompt the complete path? It would be so helpful. If you try and follow a copy and paste routine, the elevated prompts switching back and forth to sudo will leave you in the wrong directory. Fixed that.

Also, the directory where the sign-file is documented is incorrect. It is actually in /usr/lib/linux-kbuild-5.10/scripts which led to a command not found. I modified it and proceeded.

In the end, the OS reported errors but said: Success for MOK.priv. Verifying if any of the modules signed did not show any sig_id, signer, sig_key...

There was no mok.pub file. I searched via terminal from the root directory recursively as well as from File Manager. Not in sight. To say the least, it was a bust. Framework.conf doesn't offer a clue to its location.

mmx64.efi is present in the debian efi folder of the ESP. I was able to get the first steps without too much hassle.

Anyone successful at getting it to work?

I made backups of the install including the ESP. I reimaged those partitions only to encounter the problems over and over. This is moving at a snail's pace. I'd sure like some help. As a token of gratitude, I'd report what works hopefully to the maintainer of that document and make some suggestions. I do not believe the maintainer is actually checking line by line for output but going off what they expect should work.

I've randomly picked someone who has edited the page and will be sending this email and maybe the screenshots. Maybe they can be of assistance.

Here is a link to Google Drive folder if anyone would like to take a look:

https://drive.google.com/drive/folde...Pz?usp=sharing

Thanks again. Happy Turkey Day! Be safe and enjoy life. Some aren't so fortunate.

Please refer me to a reputable site that can help with these errors. I have re-imaged the partition, restarted, and updated before trying the same process. I do have better pics available, but believe that no one has accessed or understands the errors.

Please refer me to someone or site that can provide direction. I've been with Debian since before Woody and do not know what to do. I need this installation to work with secureboot enabled; then I can proceed to getting some work done with machine learning.

Thanks. Otherwise Linuxquestions.org just as Debian isn't ready for prime time when it comes to secure boot.

Re-imaged partition yet again.

1) Making an adjustment to /etc/dkms/framework.conf:
uncommenting-->sign_tool="/etc/dkms/sign_helper.sh"

2) installing sbsigntool at beginning

3) installing module-assistant --> can't hurt

4) rebooting to enter BIOS and reset keys to factory state

5) * make sure to append sudo to sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"


Do I really need to sign the kernel? Isn't it already signed? At "Using your key to sign your kernel" should I just skip to signing modules in the requisite directory?

Well here we go...

hackwrench@debian:~$ sudo dmesg | grep cert
[ 1.352337] Loading compiled-in X.509 certificates
[ 1.370531] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[ 1.370537] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f'
[ 1.371601] integrity: Loading X.509 certificate: UEFI:db
[ 1.371610] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[ 1.371610] integrity: Loading X.509 certificate: UEFI:db
[ 1.371617] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[ 1.373112] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.373193] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[ 1.373193] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.373273] integrity: Loaded X.509 cert 'My Name: 8208b15cd682c07517fda375a99fcff5be733102'
[ 1.373273] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.373349] integrity: Loaded X.509 cert 'My Name: 3c0d17f1cc8b758c30778052daff287e690442ad'
[ 1.373350] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.373428] integrity: Loaded X.509 cert 'My Name: 86e9e2fd594621a0555a3193d90ffd9177b5f367'
[ 1.373428] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.373508] integrity: Loaded X.509 cert 'My Name: 626ef098dce18d6977813a22714c93b3449dee19'
[ 1.373508] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.373587] integrity: Loaded X.509 cert 'My Name: b087d19b29082d86fd1187850988aaaae3ac468a'
[ 1.373587] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.373664] integrity: Loaded X.509 cert 'My Name: cb0d86800c0177f5591de0511ac1d664f827fd81'
[ 1.373664] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.373739] integrity: Loaded X.509 cert 'My Name: 2aacfcff9a5ff6394b9c99fbc3aeed87cbbf774b'
[ 1.373739] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 1.373815] integrity: Loaded X.509 cert 'My Name: 8042dcf6e76af917b897251e568ffa494bacc8d0'
[ 3.622065] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 3.622156] cfg80211: Loaded X.509 cert 'benh@debian.org: 577e021cb980e0e820821ba7b54b4961b8b4fadf'
[ 3.622238] cfg80211: Loaded X.509 cert 'romain.perier@gmail.com: 3abbc6ec146e09d1b6016ab9d6cf71dd233f0328'
[ 3.622320] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'

Am I supposed to have this many certificates of "My Name"? Yes, No?

If not, how do I delete these? The BIOS implementation of the z590 Dark is nothing like that of the previous ASUS z590e where I could go into BIOS and just delete PK entries easy peasy if a mistake were made?

Crap, I'm just dumb, debian dumb, programming dumb! Should have stayed CompE instead of EE! That's what I will choose for the PhD so that I can get a fresh start and above all else PRACTICE on all of this and not be so confused or have to rely solely upon other's help.

Gone.

I've started over again with re-imaging the partition from a backup and updating as required.

From the directions, I skipped these two steps as linux-image-5.10.0-19-amd64/stable-security,now 5.10.149-2 amd64 [installed,automatic] Linux 5.10 for 64-bit PCs (signed) is obviously signed:

(1) $ sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
(2) $ sudo mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"

I have verified that all the modules in /lib/modules/5.10.0-19-amd64/updates/dkms are signed showing sig_id, signer, sig_key, sig_hashalgo, and signature.

However, the following command fails with error that mok.pub does not exist:
sudo mokutil --import /var/lib/dkms/mok.pub
Failed to get file status, /var/lib/dkms/mok.pub

mok.pub cannot be found anywhere in the system's directory tree.

Please, what am I missing?

At what point is mok.pub generated?

____________________________________________________________________________________________________ ________________________________________________________

To make a long story short-ish...

Because the kernel was already signed as well as the modules along with the key being enrolled, all that was required was a reboot.

Done. Finito.

____________________________________________________________________________________________________ ________________________________________________________

Making DKMS modules signing by DKMS signing key usable with the secure boot wasn't needed.

Anyway, thanks again Linuxquestions.org for the Happy Birthday each year!