[How to] Zorin and Secure Boot

Tutorials & Guides
1

What is Secure Boot?
Secure Boot is a measure to secure the boot process against tampering.

How is it set up?
Zorin supports Secure Boot enrollment during installation. Make sure to set Secure Boot as enabled in the UEFI before starting the installation.
If you run into any problems, reset the UEFI and/or Secure Boot to factory defaults/clear any keys, and disable & re-enable Secure Boot. Make sure to enable the Microsoft certificate.

During the installation wizard, you'll be asked to provide a Secure Boot password, it needs to be 8-16 characters. It does not need to be complex or stored for a long time, however during the first reboot after installation you'll be greeted with a blue screen. After 10-15 seconds the machine might or might not continue booting, so it is important to 'catch' it in time.
The second option should read 'Enroll MOK', press Enter.
The first option should read 'view key 0', press Enter.
Here you can see the details about the key. Pressing Enter again brings you back to the previous screen.
The second option should read 'Continue', press Enter and confirm enrolling with [yes].
Type in the previously set password. After this, the password can be discarded.
Press [Reboot] and start using Zorin!

You can check the status of Secure Boot while logged in, by running mokutil --sb-state. It should return:
SecureBoot enabled
After enabling Secure Boot and finishing up your installation, make sure to disable booting from an external USB, and locking down the UEFI with a strong password to further reduce the attack surface.

2 Likes
2

Is this still correct?

I've installed Zorin on two devices, moving away from Windows, and have never seen an option to provide a Secure Boot password during installation.

I also couldn't find any documents on secure boot in the 'Zorin OS Desktop Guide' documentation.

1 Like
4

Hi and Welcome. For a good extensive look at Secure Boot I recommend reading this post:

and as Zorin 17_is based on Ubuntu 22.04:

1 Like
5

Secure boot is a Microsoft feature, and is not necessary or required for Linux, unless your operating a high security computer in the government sector. For a person who just operates a computer from home, all Secure Boot will do, is cause you loads of problems, where you will be pulling your hair out.

Startreker Signature
Startreker Signature700×342 112 KB

3 Likes
6

Much agreed with StarTreker - just to see if I could do it, I got it working with my laptop but.. every Nvidia update needed a password and then booting into the secure boot to proceed with the install and it was just an absolute headache..

Home users - definitely would suggest leaving SecureBoot off; it only causes more troubles than it helps.

5 Likes
7

The problem to the Secure Boot password not appearing during Zorin install was that, on boot, I booted from 'USB - [manufacturer]', instead of 'UEFI: [manufacturer], Partition 1'.

Once I booted using the UEFI option, the option to enter a Secure Boot password on Zorin install appeared.

Posters after me were right, though, in that I asked how to do this, not should I do this. All a part of the learning experience. Special thanks to @swarfendor437; the first link on EFI boot loaders was really educational.

2 Likes
8

I'm sorry but I'm pretty saddened that this myth is still doing its rounds.
Secure Boot is not a Microsoft feature. It is a general feature, Linux was just late to the game and there isn't any distro that has implemented it entirely yet. Zorin is very close, but no cigar at this point.

Everyone and their mother should use Secure Boot, (as well as Measured Boot, otherwise it is still incomplete and thus insecure), since a Linux desktop without it, is much less secure than any Windows installation, even with Full Disk Encryption enabled. This is because without SB&MB, it is trivial to infect the kernel and install a keylogger, which scoops up the FDE passphrase the next time the legitimate user boots the system. Yes, this requires at least physical access once, staying unnoticed, to the machine to manipulate it.

But with the advent of Artificial Intelligence, those kind of attacks are steadily moving from "knowledgeable hacker" to "script kiddie" and now lowering further to "random university dorm creep".
To my opinion, these attacks have never really been only reserved for nation state attackers. Especially with certain professions, like doctors, psychologists, lawyers or security researches, just using FDE is in my opinion insufficient, because it could be that a person is an interesting enough of a target to warrant such an attack. And as I mentioned, I only see the possibility of that increasing since it's becoming more and more available to the average person to execute such an attack.

Yes, Microsoft has a very strong foothold on SecureBoot, since hardware manufacturers basically only ship TPM-hardware with Microsoft keys by default. That is all. But Secure Boot is not Microsoft-exclusive, as Zorin proves this with very reliable MOK enrollment.

This kind of understanding and opinions on these security measures will keep Linux from achieving its full potential. I simply refuse to use an OS that is less secure than Windows, and I'm a nobody. I can already expect comments "you're not interesting enough, you don't need that".

Thank you for your opinion, but I lay those comments beside me. To my opinion, those statements also strongly undermine active Linux development to become an actually safe and mature desktop OS that is as secure, if not more secure than Windows. Because you directly or indirectly tell others, users and developers, that there is no need desire to have Secure Boot/Measured Boot on Linux, which has led to the situation where we are right now;

Linux is still 10 years behind Windows and Mac, while all the tools and methods are available to achieve this. It's just that no distro has fully implemented this, outside of Arch Linux maybe, if someone chooses to set it up that way. (I played around with Arch, and achieved Secure Boot + Measured Boot but I like a Debian-based distro more).

Zorin just needs to implement UKI, then it's basically there. I made a thread in the feedback section: Zorin is really good; it's only missing a Unified Kernel Image

Some closing remarks.

  • I'm aiming mainly for personal/professional desktop(laptop)/office use. If Zorin wants to become the Windows alternative for small and medium business, or local governments, this should be implemented. If not yet, I expect any CISO worth their salt to require this today or tomorrow.
  • Gaming for me is totally out of scope related to this security requirement. I know that makes a lot of stuff more difficult, but you can just game on a separate game PC with Windows or Bazzite or use a game console.
  • Same with Dual Boot or other requirements that make it more difficult to achieve.

MOK should be made password-less maybe though, to simplify software updates. Other than that, having to run another MOK enrollment, even once a month, after an update, is not a problem to me.

2 Likes
9

I am new to Linux but, I have to say I find a lot of helpful information on this blog and others . Thank you all . :+1:

10

I would also like to add that I needed to turn Secure Boot off in BIOS to install Zorin 18 as having it on crashed during install.

After installing Zorin OS 18, I turned Secure Boot Back on.

Verified Secure Boot was on with command: mokutil --sb-state

Now at this point my Secure boot certificates were not enrolled in the MOK.

Perform the following steps after turning secure boot on:

1.) Check if Secure Boot certs are already on computer:

ls -lah /var/lib/shim-signed/mok/ ----> Directory listing secure boot key folder

There should be 3 files:
-rw-r--r-- 1 root root  919 Feb 13 08:30 MOK.der
-rw------- 1 root root 1.7K Feb 13 08:30 MOK.priv
-rw------- 1 root root 1.0K Feb 13 08:30 .rnd

If they are there (above 3 files) proceed to Step 3 otherwise you will need to generate secure boot certs in Step 2:

2.) Generate Secure Boot Certs:

update-secureboot-policy --new-key     ----> Generate new secure-boot key

Now Repeat step #1 and check that there are 3 files: MOK.der, MOK.prov and .rnd

3.) Check and see if Secure Boot Certs are enrolled in MOK.

sudo mokutil --test-key /var/lib/shim-signed/mok/MOK.der    -----> See if Secure Boot Key is enrolled

If the output says: 
/var/lib/shim-signed/mok/MOK.der is already enrolled 

If the output says "already enrolled" You are done and secure boot is setup. 
If not then proceed to Step #4.

4.) Enroll Secure Boot certs/keys in MOK:

mokutil --import /var/lib/shim-signed/mok/MOK.der   

After running the command above it will prompt for a passwsord... Enter a password... 
I used my account/sudo password as it's easy to remember!

5.) After completing Step #4 you will need to reboot.

On rebooting you will see the MOK Utility come up immediatly after POST (The BIOS Power on Self Test when first powering up) 

You will need to answer the MOK quickly as it has a 8 - 10 second or so timer and will flash on by if you are not paying attention!

6.) Enrolling Secure Boot Certs/Keys on Bootup/Startup:

You will see the MOK Manager... It is blue and looks like an old Commodore 64 screen... heheh

Be quick and select 'ENROLL MOK'

At this point you will see 'VIEW KEY 0' and 'CONTINUE' You can select VIEW KEY if desired to verify the start and expiration date(s) 
and the expiration date is good for a 100 years... Wow better than Winblows Secure Boot Cert shelf life... Hehehe

After viewing the Certificate you can press enter to get back to the main MOK Mananger Screen

7.) Select 'Continue' in the MOK Mananger.

After selecting 'Continue' you will see 'Enroll the Key'
Select 'Yes' and you will be prompted for a password. 
Enter the same password you used in Step #4.

8.) After entering the password you will be prompted to 'Reboot'
Make sure 'Reboot is highlighted and hit enter to reboot.

9.) ** After booting back up to the desktop you can verify the Secure Boot Keys are
enrolled by typeing at the terminal:

   $ sudo mokutil --test-key /var/lib/shim-signed/mok/MOK.der
	[sudo] password for scott:         
	/var/lib/shim-signed/mok/MOK.der is already enrolled

** If Step #9 was successful then Congtatulations! You have setup your Secure Boot Keys.

Note:

There is a Youtube video that I used to help me setup and enroll my Secure Boot Keys.
I also referenced the Youtube video to help in writing up these instructions.

  Here is the link to that Youtube Video:
  
  https://www.youtube.com/watch?v=O_aqPJ72p3E&t=1s