Managing Secure Boot with Cinnamon Desktop on Linux Mint

A guide to understanding, configuring, and managing Secure Boot on Linux Mint with the Cinnamon desktop environment.
By İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

Introduction

Secure Boot is a security feature that helps protect your system from malicious software during the boot process. It verifies that only trusted software components are loaded during startup, which can significantly enhance your system’s security. However, managing Secure Boot on Linux distributions like Linux Mint can be challenging, especially for newcomers.

This guide will walk you through the process of understanding, configuring, and managing Secure Boot specifically on Linux Mint with the Cinnamon desktop environment. We’ll explore the benefits, potential challenges, and step-by-step instructions to ensure your system remains secure while accommodating your specific needs.

Understanding Secure Boot

Secure Boot is a feature of the Unified Extensible Firmware Interface (UEFI), which is the modern replacement for the traditional BIOS system. When Secure Boot is enabled, your computer verifies that the bootloader and kernel being loaded are signed with cryptographic keys that are recognized by the UEFI firmware.

How Secure Boot Works

  1. Verification Chain: When your computer starts, the UEFI firmware checks if the bootloader is signed with a trusted key.
  2. Key Database: UEFI firmware maintains databases of allowed keys (db), disallowed keys (dbx), and key exchange keys (KEK).
  3. Platform Key (PK): At the top of the hierarchy is the Platform Key, which controls access to the Secure Boot configuration.

In a default configuration, most systems come with Microsoft’s keys pre-installed, which is why Windows works seamlessly with Secure Boot. Linux distributions must either be signed with Microsoft’s keys or use their own keys, which must be added to the UEFI firmware.

Secure Boot and Linux Mint

Linux Mint, while a popular and user-friendly distribution, has historically had a complicated relationship with Secure Boot. Here’s what you need to know:

Current Status

As of the latest releases, Linux Mint doesn’t provide official signed bootloaders and kernels that work with Secure Boot out of the box. This is primarily because:

  1. The Linux Mint team has focused on accessibility and ease of use over implementing Secure Boot.
  2. There are philosophical considerations regarding the control of signing keys.

However, this doesn’t mean you can’t use Secure Boot with Linux Mint - it just requires some additional configuration.

Preparing Your System

Before we dive into the configuration, let’s ensure your system is ready:

Prerequisites

  • Linux Mint with Cinnamon desktop (20.3 or newer recommended)
  • A computer with UEFI firmware (not legacy BIOS)
  • Administrative access to your system
  • Basic familiarity with terminal commands
  • Backup of important data (safety first!)

Checking Your Current Secure Boot Status

To check if Secure Boot is currently enabled on your system, open a terminal and run:

mokutil --sb-state

This command will return either “SecureBoot enabled” or “SecureBoot disabled”.

Managing Secure Boot on Linux Mint

Let’s look at the different approaches to managing Secure Boot on Linux Mint:

Option 1: Disabling Secure Boot (Simplest Approach)

While this isn’t enhancing security, it’s the simplest solution and worth mentioning:

  1. Restart your computer and enter the UEFI setup (usually by pressing F2, Delete, or Esc during boot)
  2. Navigate to the “Boot” or “Security” section
  3. Find “Secure Boot” settings and disable it
  4. Save changes and exit

This approach allows Linux Mint to boot normally without any Secure Boot constraints.

Option 2: Using MOK (Machine Owner Key) Management

A more secure approach involves creating and registering your own keys:

  1. Install required packages:
sudo apt update
sudo apt install mokutil shim-signed sbsigntool
  1. Generate your own keys:
mkdir ~/secure-boot-keys
cd ~/secure-boot-keys
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -days 3650 -nodes -subj "/CN=Your Name Secure Boot Key/"
  1. Register your key with MOK:
sudo mokutil --import MOK.crt

You’ll be prompted to create a one-time password.

  1. Reboot your system: During reboot, you’ll see the MOK management screen. Select “Enroll MOK” and follow the prompts, entering the password you created.

  2. Sign the kernel and initramfs:

sudo sbsign --key ~/secure-boot-keys/MOK.key --cert ~/secure-boot-keys/MOK.crt --output /boot/vmlinuz-$(uname -r).signed /boot/vmlinuz-$(uname -r)
  1. Update GRUB to use the signed kernel:
sudo cp /etc/grub.d/10_linux /etc/grub.d/10_linux.backup
sudo nano /etc/grub.d/10_linux

Modify the file to use the signed kernel files instead of the unsigned ones. Look for lines containing “vmlinuz” and add “.signed” to the filename.

  1. Update GRUB configuration:
sudo update-grub

Option 3: Using Pre-Boot Authentication

For even stronger security, you can combine Secure Boot with disk encryption:

  1. Install Linux Mint with full disk encryption during the initial setup process.

  2. Follow the steps in Option 2 to set up Secure Boot with your own keys.

  3. Configure GRUB to use the encrypted disk:

sudo nano /etc/default/grub

Ensure GRUB_ENABLE_CRYPTODISK=y is uncommented or added.

  1. Update GRUB:
sudo update-grub

Maintaining Secure Boot with System Updates

One of the challenges with Secure Boot is maintaining it through kernel updates. Here’s how to handle that:

Automating Kernel Signing

To avoid having to manually sign each new kernel after updates, create a script:

  1. Create the script file:
sudo nano /usr/local/bin/sign-kernel
  1. Add the following content:
#!/bin/bash
# Script to sign kernel and initramfs after updates

KVER="$1"
MOK_KEY="/path/to/your/MOK.key"
MOK_CERT="/path/to/your/MOK.crt"

if [ -z "$KVER" ]; then
    KVER=$(uname -r)
fi

echo "Signing kernel version $KVER"
sbsign --key $MOK_KEY --cert $MOK_CERT --output /boot/vmlinuz-${KVER}.signed /boot/vmlinuz-${KVER}

echo "Updating GRUB configuration"
update-grub

echo "Kernel signing complete"
  1. Make the script executable:
sudo chmod +x /usr/local/bin/sign-kernel
  1. Set up automatic signing after kernel updates:
sudo nano /etc/kernel/postinst.d/zz-sign-kernel

Add:

#!/bin/bash
/usr/local/bin/sign-kernel $1
  1. Make it executable:
sudo chmod +x /etc/kernel/postinst.d/zz-sign-kernel

Troubleshooting Common Issues

Boot Failures After Updates

If your system fails to boot after an update:

  1. Reboot and enter the GRUB menu (hold Shift during boot)
  2. Select an older kernel version that worked previously
  3. Once booted, run the kernel signing script:
sudo sign-kernel $(ls -1 /boot/vmlinuz-* | grep -v "signed" | sort -V | tail -n1 | cut -d'-' -f2-)

Secure Boot Verification Failures

If you see “Secure Boot Verification Failed” messages:

  1. Verify your MOK is properly enrolled:
mokutil --list-enrolled
  1. Check if your kernel is properly signed:
sbverify --list /boot/vmlinuz-$(uname -r).signed
  1. Re-sign the kernel if necessary:
sudo sign-kernel

Security Considerations and Best Practices

To maximize the security benefits of Secure Boot:

  1. Keep your private keys secure - store them on an encrypted external device when not in use.
  2. Use full disk encryption in combination with Secure Boot.
  3. Regularly update your system to ensure security patches are applied.
  4. Consider a separate /boot partition that is unencrypted but verified by Secure Boot.
  5. Back up your keys and configuration in case of hardware failure.

Conclusion

Managing Secure Boot with Linux Mint’s Cinnamon desktop requires some initial setup, but the security benefits are substantial. By following this guide, you’ve learned how to:

  • Understand the principles behind Secure Boot
  • Check your system’s Secure Boot status
  • Configure Secure Boot with your own keys
  • Maintain Secure Boot through system updates
  • Troubleshoot common issues

While Linux Mint doesn’t provide out-of-the-box Secure Boot support, the flexibility of Linux allows you to implement a custom solution that meets your security needs. With Secure Boot properly configured, you can enjoy the user-friendly Cinnamon desktop experience while maintaining a strong security posture against boot-level attacks.

Remember that security is a continuous process - regularly review your configuration and stay informed about new security developments in the Linux ecosystem.


< How to Set Up Network SecurityConfiguring Access Controls >
Last modified 08.03.2025: new content (76eea7a)