UEFI secure boot.

[DN-gian5x]

Hello there, I want to ask how can I enable secure boot in Debian 11, I have full disk encryption in my install, but having secure boot disabled is a security issue since an attacker with phisical access to the machine, could insert modules in the initramfs to steal the passphrase at boot (/boot and /boot/efi need to be unencrypted). Thanks for the support. I've found this article on the wiki: https://wiki.debian.org/SecureBoot, but it gaves errors and doesn't work.

[LE_746F6D617A7A69]

viewtopic.php?p=725356#p725356

[DN-gian5x]

viewtopic.php?p=725356#p725356

[p.H]

how can I enable secure boot in Debian 11

Debian supports secure boot by default. You just have to enable it in the UEFI firmware settings.

having secure boot disabled is a security issue since an attacker with phisical access to the machine, could insert modules in the initramfs to steal the passphrase at boot

Secure boot alone won't protect against initramfs tampering.

I've found this article on the wiki: https://wiki.debian.org/SecureBoot, but it gaves errors and doesn't work.

This statement does not provide any useful information. Please show full commands, output and config files.

[Head_on_a_Stick]

Secure boot alone won't protect against initramfs tampering.

It does if a unified kernel image is used.

@OP: see https://wiki.archlinux.org/title/Unifie ... e#Manually & https://dev1galaxy.org/viewtopic.php?pid=35067#p35067 for the details.

EDIT: place the unified image at /EFI/Boot/bootx64.efi on the EFI system partition to make the system boot without any bootloader or NVRAM boot entries (remove superfluous boot entries first though).

[LE_746F6D617A7A69]

HOAS! so You're alive

What is that snorting cat doing in Your avatar?

[Head_on_a_Stick]

What is that snorting cat doing in Your avatar?

It is a symbol of solidarity with my fellow workers in our fight against the bourgeoisie:

https://en.wikipedia.org/wiki/Black_cat ... yndicalism

And now back to the topic at hand...

[LE_746F6D617A7A69]

I understand, and although I don't fully agree with such interpretation, thanks for the explanation.

Now, back to the topic:
All the aspects of SecureBoot can be managed from the admin/root account - which means, that SecureBoot itself can't be "more secure" than the root account.

Regards.

[DN-gian5x]

To everyone, thanks for the response but I've found an alternative workaround for this: I've set up full disk encryption and I put /boot/efi and /boot on a separate usb key, in this way not only they can't tamper initramfs or anything else, they can't even boot without the usb key
@LE_746F6D617A7A69
@Head_on_a_Stick
@p.H

[LE_746F6D617A7A69]

To everyone, thanks for the response but I've found an alternative workaround for this: I've set up full disk encryption and I put /boot/efi and /boot on a separate usb key, in this way not only they can't tamper initramfs or anything else, they can't even boot without the usb key

Such solution only prevents unauthorized booting, but it does not prevent modifying the bootloader or initramfs in case of unauthorized access to the root account (there is an exception: You can use USB drive equipped with a HW switch which disables writing to the device).

Besides, there's a risk that the USB drive gets damaged (not so rare case), what would make Your system unbootable.

Another problem is, that encryption provides protection only in case of stolen hardware. Once the system is booted and running, the encrypted but mounted drives are not protected in any way - they can be controlled/modified by using the root account, or even a regular user account, depending on mount options.

This means that an attacker still can install and/or execute malicious scripts/executables once he get a root privileges.

Regards.

[DN-gian5x]

To everyone, thanks for the response but I've found an alternative workaround for this: I've set up full disk encryption and I put /boot/efi and /boot on a separate usb key, in this way not only they can't tamper initramfs or anything else, they can't even boot without the usb key

Such solution only prevents unauthorized booting, but it does not prevent modifying the bootloader or initramfs in case of unauthorized access to the root account (there is an exception: You can use USB drive equipped with a HW switch which disables writing to the device).

Besides, there's a risk that the USB drive gets damaged (not so rare case), what would make Your system unbootable.

Another problem is, that encryption provides protection only in case of stolen hardware. Once the system is booted and running, the encrypted but mounted drives are not protected in any way - they can be controlled/modified by using the root account, or even a regular user account, depending on mount options.

This means that an attacker still can install and/or execute malicious scripts/executables once he get a root privileges.

Regards.

It does prevent modification of the bootloader since it is on the USB key that is separated from the computer. Also I know about the risk of the USB and I'm okay with that, I know too about the risk of computer getting stolen while is booted.

[LE_746F6D617A7A69]

It does prevent modification of the bootloader since it is on the USB key

It does not, as long the USB drive is writeable