Skip to main content
Topic: DEFAULT_BOOT_DEVICE has been blocked by current security policy (Read 233 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

DEFAULT_BOOT_DEVICE has been blocked by current security policy

Greetings,
I'm new to Linux and I wanted to try Artix Linux. Although I've come across secure boot violations. Any help or advice is appreciated!

Issue:
From what I've searched for it seems Artix Linux does not come pre-signed similar to Arch Linux, and unlike Tails (Debian based) and Linux Mint (Ubuntu based) which are pre-signed.

Questions:
  • How hard it is to sign it myself? And will it need re-signing after updates?
  • In terms of security, is it incorrect to make an exception to secure boot security within BIOS?

Notes:
I'm using a Dell G15 5535 running the latest BIOS version 1.12 provided by manufacturer.
I'm trying to install Artix Linux through a USB flash drive.

Re: DEFAULT_BOOT_DEVICE has been blocked by current security policy

Reply #1
FWIW, I always disable secure boot in the BIOS. The keys are signed by M$ and distros which provide "certified" images have to submit them or a "shim" to Microsoft for signing, you read that right. Perhaps you can self-sign, if you don't mind risking to brick your laptop in the process of enrolling the keys to the firmware.

Re: DEFAULT_BOOT_DEVICE has been blocked by current security policy

Reply #2
Quote from: Artic_Medic – on
How hard it is to sign it myself?

See for yourself.

Quote
And will it need re-signing after updates?

Yes. However, you can automate it using pacman hooks (run man 5 alpm-hooks on your terminal for a quick overview), and the page above mentions some packages that can do the hook part for you.

Quote
In terms of security, is it incorrect to make an exception to secure boot security within BIOS?

As with most things, it depends on your threat model. Are Linux (or Windows, if you dual boot) bootkits on your machine a realistic risk?

BTW, if you really want to reap maximum advantage from Secure Boot, you need to follow additional steps (see Implementing secure boot on the link above) to prevent tampering and theft.

Quote from: nous – on
"shim" to Microsoft for signing, you read that right. Perhaps you can self-sign, if you don't mind risking to brick your laptop in the process of enrolling the keys to the firmware.

AFAIK all distros use the same Microsoft-signed shim, and it has its own parallel key enrolling system to work around these buggy BIOSes. One of the sections in the article is about using the shim for Secure Boot support, and a footnote mentions you can even disable the key verification in it so Linux has secure boot effectively disabled and you can skip the whole signing song and dance.

Re: DEFAULT_BOOT_DEVICE has been blocked by current security policy

Reply #3
Quote from: capezotte – on
Quote from: nous – on
"shim" to Microsoft for signing, you read that right. Perhaps you can self-sign, if you don't mind risking to brick your laptop in the process of enrolling the keys to the firmware.

AFAIK all distros use the same Microsoft-signed shim, and it has its own parallel key enrolling system to work around these buggy BIOSes. One of the sections in the article is about using the shim for Secure Boot support, and a footnote mentions you can even disable the key verification in it so Linux has secure boot effectively disabled and you can skip the whole signing song and dance.
Another example would be Ventoy (a multiboot project), they take those verified shim binaries directly from debian/ubuntu, this way it can boot everywhere even if secureboot is enabled.
 
Artix forum uses a single cookie to remember youOK