Understanding Secure Boot

[superadmin29]

Hey y'all. Let me preface this with saying I know that the installation instructions mention to turn off secure boot (SB), however security is important to me so I tried to dig a bit deeper.

While the outcome is unclear to me, it seems that the user ihr in this post may have been able to install with SB using SCALE since it is Debian based? When I attempted to install TrueNas SCALE on my Dell PowerEdge R540, I was greeted with

Code:

error: bad shim signature.

as can be expected with secure boot issues. I am very much a n00b when it comes to SB, but based on some internet searching I think I understand the basics of how SB operates. Debain, while late to the SB party in comparison to other distros has supported SB since Buster. My understanding is that the shim binary is signed by Microsoft, which should be accepted on all hosts. From there, the shim executable can essentially bootstrap other signed distro specific executables to continue boot from there. So that leads to my ultimate question of "why doesn't secure boot work?" The only thing I can think of is that I need to install Machine Owner Keys (MOKs) because TrueNas somehow hasn't included it's keys with shim, or that iX Systems hasn't signed anything and that is why. When trying to validate this, I think the

Code:

vmlinuz

file should be signed but I don't know enough about secure boot to be certain. Regardless, it does not appear to be signed.

That being the case, is this as easy as importing a MOK or would I have to sign the installer myself and also import a MOK? If the latter, is it even reasonable to self sign TrueNAS or is it a way bigger task/headache then my readings have led on?

 

[artlessknave]

turn off secure boot (SB), however security is important to me

secure boot is, in reality, essentially Microsoft Security thing to force you to use windows, because windows is not secure enough.
secureboot should never have existed; it's like apple's firmware-OS_software garbage that makes apple OS only run on apple hardware.
linux and freebsd have no need for this. if you want to secure the data, encrypt your storage pools and use secure passwords, that's what encryption is for.

SCALE since it is Debian based

TrueNAS is an appliance build on Debian; the appliance is targeted at enterprise hardware, which doesn't need or have secureboot, for the above reasons.

 

[Ericloewe]

That's not really a fair description of secure boot.

The point of secure boot is to have the system firmware validate that the OS has not been tampered with, by checking the binary being loaded and its signature against a list of valid signing keys. This is a good thing, in general, and has nothing to do with the perceived level of security of the OS that will be loaded.
Of course, it restricts what you can do, which is the very point of it. That's not very relevant, because it can be disabled and configured as needed with additional keys.

Now, is it advantageous enough to overcome the additional work needed? That depends on the situation and is for individual users to decide.

; the appliance is targeted at enterprise hardware, which doesn't need or have secureboot, for the above reasons.

This is rather incorrect. If anything, secure boot is in higher demand in the enterprise segment, rather than being something that just exists without Joe User being consciously aware of it.

iX Systems hasn't signed anything

I suspect that this is what's going on. It's never come up frequently on the forums, which suggests the demand hasn't really been there. There are probably several reasons, some more valid than others, but there's no point in going over them.

It'd be nice to have this confirmed either way.

 

[artlessknave]

ah. perfect!

Cunningham's Law - Meta

meta.wikimedia.org

 

[DarkestDot]

When you add the EFI storage disable Pre-Enroll keys. This is what is causing the error: bad shim signature. No need to disable uefi.

 

[gtbarsi]

When you add the EFI storage disable Pre-Enroll keys. This is what is causing the error: bad shim signature. No need to disable uefi.

This, This is the answer!!!
Thank you for something that not only works but works for me on a SuperMicro X9 motherboard which does not even have Secure Boot Options to manipulate.