Greetings,
I'm new to Linux and I wanted to try Artix Linux. Although I've come across secure boot violations. Any help or advice is appreciated!
Issue:From what I've searched for it seems Artix Linux does not come pre-signed similar to Arch Linux, and unlike Tails (Debian based) and Linux Mint (Ubuntu based) which are pre-signed.
Questions:- How hard it is to sign it myself? And will it need re-signing after updates?
- In terms of security, is it incorrect to make an exception to secure boot security within BIOS?
Notes:I'm using a Dell G15 5535 running the latest BIOS version 1.12 provided by manufacturer.
I'm trying to install Artix Linux through a USB flash drive.
FWIW, I always disable secure boot in the BIOS. The keys are signed by M$ and distros which provide "certified" images have to submit them or a "shim" to Microsoft for signing, you read that right. Perhaps you can self-sign, if you don't mind risking to brick your laptop in the process of enrolling the keys to the firmware.
See for yourself (https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot).
Yes. However, you can automate it using pacman hooks (run
man 5 alpm-hooks on your terminal for a quick overview), and the page above mentions some packages that can do the hook part for you.
As with most things, it depends on your threat model. Are Linux (or Windows, if you dual boot) bootkits on your machine a realistic risk?
BTW, if you really want to reap maximum advantage from Secure Boot, you need to follow additional steps (see
Implementing secure boot on the link above) to prevent tampering and theft.
AFAIK all distros use the same Microsoft-signed shim, and it has its own parallel key enrolling system to work around these buggy BIOSes. One of the sections in the article is about using the shim for Secure Boot support, and a footnote mentions you can even disable the key verification in it so Linux has secure boot effectively disabled and you can skip the whole signing song and dance.
Another example would be Ventoy (a multiboot project), they take those verified shim binaries directly from debian/ubuntu, this way it can boot everywhere even if secureboot is enabled.
Greetings
nous! I appreciate your reply.
Upon following your advice I got kernel panic (Image: https://imgur.com/a/0g7w2yd)
My Dell fortunately has the "append from file" option within secure boot custom security. But how could I brick my laptop within the process of appending the necessary keys to the firmware?
Does Artix Linux come pre-signed with non-Microsoft keys which I could easily add to secure boot?Greetings
capezotte! I appreciate the reply! and I will certainly look further into your link (https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot) once I have enough time! I will make a video if I'm able to resolve my issue with your advice.
Greetings
Shoun2137! What you've said is indeed correct, I figured that Ventoy must be doing that in order to easily boot. Using Ventoy I was able to boot into Artix live using Grub2 boot option, although I still haven't been able to boot Artix normally.
The secure boot comes with:
- PK [PKCS7] CompalA31CSMB
- KEK [PKCS7] Microsoft Corporation KEK CA 2011
- db [PKCS7] Microsoft Windows Production PCA 2011
- db [PKCS7] Microsoft Corporation UEFI CA 2011
- db [PKCS7] CompalA31CSMB
I apologize if burden you with my lack of knowledge, although certainly I will give you my best.
Ventoy seems to really not like Artix ISOs. I hang around Artix support channels and it's relatively common for something like this to happen, the user to be told to flash the ISO directly, and the issue to go away.
There's no issue in using Grub2 mode if it fixes things for you.
Section 3.1 of the link explains how (as well as how to avoid the risk).
Nope, and neither does Arch. (Though I do wonder how hard would it be to add).
The second-to-last one in that list is the certificate used to sign the Fedora/Ubuntu's shim; you should be able to install them, or Arch/Artix following the link's section 3.2.2.