I think I just missed a few steps, I followed a couple guides at the same time. Got all the keys built and signed the grub.efi However, shrugs* doesn't seem to be working as expected. The grub.efi.signed I can boot from, but behaviour seems no different then if secure boot is off. Which it tells me it is off in boot menu after I just turned it on.

Thanks

My next experiment will be to try Secure boot on my Asus Motherboard,

PS: Fun fact. I saw a post on a debian thread regarding Nvidia persistenced.
I thought this was a devuan issue. Got no answers however, turns out the user got it running by turning off secure boot in Bios.  Which I refuse to run nvidia drivers anyway anymore.

Now it boots, but it boots USB as well. With custom keys it seems to just boot as if it was off. I guess I didn't set it up quite right. Might try again and update this if I have better luck. Dell seems like they could make really good products. But then there is just something about their bios that scares you right away. Anything Post-skylake I don't really want to dip into.

I've not experimented with my dells yet but my Toshiba Satellite was simply as easy as loading my custom keys, building a stub-load kernel, signing it, and then enabling secure boot in the bios. Will be interested in what you find out with your Dells though.

As for secure boot, I can't seem to find a good guide or documentation for a Dell setup. I have my own keys generated and loaded into the bios. (before it wouldn't boot with secure boot on)

Now it boots, but it boots USB as well. With custom keys it seems to just boot as if it was off. I guess I didn't set it up quite right. Might try again and update this if I have better luck. Dell seems like they could make really good products. But then there is just something about their bios that scares you right away. Anything Post-skylake I don't really want to dip into.

aut0exec wrote:

Even saw some Dells the other day where CSM isn't an option within the firmware!

Yeah, Intel are planning to remove it completely: https://www.anandtech.com/show/12068/in … fi-by-2020

Bastards...

Intel can go screw itself: https://www.seabios.org/Build_overview# … _.28CSM.29

aut0exec wrote:

Even saw some Dells the other day where CSM isn't an option within the firmware!

Yeah, Intel are planning to remove it completely: https://www.anandtech.com/show/12068/in … fi-by-2020

Bastards...

Is this still the timeline for eliminating CSM? (The article was written in 2017.)

Even saw some Dells the other day where CSM isn't an option within the firmware!

Yeah, Intel are planning to remove it completely: https://www.anandtech.com/show/12068/in … fi-by-2020

Bastards...

In respect of UEFI, it is not possible to "turn it off" — all you can do is enable CSM ("Legacy" mode), which still runs the boot process through the UEFI firmware but subjects it to an extra added abstraction layer which is probably full of even more bugs.

Even saw some Dells the other day where CSM isn't an option within the firmware! Figured at some point everyone would move over from CSM/Legacy just wasn't sure when.

Czeekaj - I unfortunately don't have the ability to build my own chips, PCB's, FPGA's, and what not so I'm sort of stuck trusting hardware vendors at a certain point. Secure boot at least makes the bar for high jacking my system 'a little bit' more difficult!

You also have to trust the manufactures firmware to respect your setting when you turn it off.

In respect of UEFI, it is not possible to "turn it off" — all you can do is enable CSM ("Legacy" mode), which still runs the boot process through the UEFI firmware but subjects it to an extra added abstraction layer which is probably full of even more bugs.

Secure Boot should help with some of the problems introduced by UEFI so you should use that rather than CSM.

When I back up Iso for a USB, I like to have it EFI ready because mbr install on a Uefi system means your going to have to wipe something out.

I was wondering if it is worthwhile to convert my traditional boot install to a UEFI boot install. Not sure if there are any advantages.

I've been converting new installs to it but definitely not going back to switch MBR systems to UEFI unless absolutely necessary. Mainly just because of not wanting to switch the partitioning over.

In contrast to ToxicExMachina, I've enjoyed UEFI, there's a bunch of nice things about it (Secure Boot, efibootmgr, doing away with MBR partitions, etc), To each their own though. If you have a spare machine, try a new install and see what you think. You probably won't notice many differences until you start messing with the boot components (Grub mainly, haha).

I was wondering if it is worthwhile to convert my traditional boot install to a UEFI boot install. Not sure if there are any advantages.

UEFI must die. That's all you need to know. The reason is: don't tie yourself to this defective technology. Overcomplication, vulnerability, malware-friendly environment, etc. - this is UEFI. If there will be no option but boot via UEFI it will be an inevitable evil - not a good thing.

I have secure boot enabled on two systems. However, when I check the status it's either on setup mode or bios says it is off.
The laptop I have custom keys setup and loaded into the bios. However, I turn on secure boot in bios. It boots to grub. I check setting in the bios again and it's on. But, I can boot to usb and it mentions secure boot being off. The bios setting is set to on however, now with custom keys.

Acting as if it was off. When it's on with default keys. It stays on, and wont but into grub.

Not sure if I set it up properly having trouble finding a guide that has worked yet. Any one figure out how to set up custom keys on Devuan? I know every bios is a bit different but I may have missed a step. I get an error running on of the last commands on gentoo guide.
No efivarfs filesystem is mounted.

It's odd behaviour but with the proper packages, and grub installed.

grub-install --uefi-secure-boot --bootloader-id=debian 

I can boot with secure boot on. However, boot behavior seems identical and status seems to be off. Even though it's on in the bios.