Has ClearLinux SecureBoot validation/lockdown?

Hi guys!
Has ClearLinux built-in secure boot validation/“lockdown”/integrity_check mode for kernel/dkms/os by default?

It’s the question with an eye on Ubuntu where validation mode manually enables only by command like sudo mokutil --enable-validation

We do not support secure boot at the moment.

We do not support secure boot at the moment.

What? Why?.. I can’t believe my eyes/ears…
You started ~4 years ago… You declared as security by design(!) and you release desktop version which do not support secure boot… It’s fiasco or we don’t understand deep causes of that decision …or your team don’t have enough resources to develop… please explain it :frowning:

Because CL project seems pretty good but with that insecure approach where early boot binary/firmware/kernel may compromised you increase surface attack anyway.

Bad news for me… unfortunally I can’t use it and forced to uninstall CL, may be back later.
You can include optional LKRG (https://www.openwall.com/lkrg/) kernel module as well.

Well we don’t support the use of the Microsoft signed shim. We do support the use of a self-signed and provisioned chain of trust afaik (ping for @eadams to confirm).

We have the plumbing in place to support secure boot, but we have not signed the first stage boot loader with the Microsoft Key which is what is embedded in most computer’s UEFI firmware. You can read more about it at Why should I disable secure boot (other distros don't require this).

I asked ~half-month ago in the Q&A section = How to properly install CL in secure boot with custom key managment,, but the topic still has 0 replies.

I agree about not using MS pre-installed keys and using your own - it’s true. But can you give detailed instruction / step-by-step howto for custom keys / efi handling with secure boot.

Your official documentation hasn’t any instruction and basic info about it. What should users know about if even the team os answers are so contradictory.

I don’t want ran to these troubles as described there (Hunting UEFI implants) by indutry experts.

Your arguments sound strange and it’s not clear why then industry giants like Mac (in thier macbooks) or Google with thier chrombooks still uses strong firmware/bootloader/os-image protection.

I cannot use this OS until the information is Сlear*.

This question isn’t specific to clearlinux. Any online guide that explains how to sign and use your own keys is adequate and covers the topic well.

This forum isn’t a dedicated support channel. Developers are here to help people as much as they can. In many cases, we will not resolve issues and it’s up to other users to help out as much as they can. In the case of generic questions, you should absolutely do some research yourself before asking, since it will help you understand the answer that you may get.

1 Like

If this isn’t merged into the mainline linux kernel, we will not include it. You will have to compile and install it yourself.

This question isn’t specific to clearlinux. Any online guide that explains how to sign and use your own keys is adequate and covers the topic well.

First of all.
If any online doc gives complete information then why your several team mans give conflicting information:

  1. We don’t support secure boot
  2. No, we don’t support ms shim, but support own (afiak! but better ask other man)
  3. Link to article about disable secure boot…

If it’s so simple why you can’t explain in that simple?

And second:
Enrolling your signatures in custom secure boot mode is not the same kernel validation at runtime (afaik), and my basic question was about it. (Maybe I wrong, clear to me, but better detailed describe in official Doc)

And third:
No it’s not a simple question but important (at least for appear in doc), I don’t ask casual info about trivial usage of common Linux. You have you own architecture and build and users deserve for know about it.

I gave an example with Ubuntu that explain it with mokutil with certain params, that enables lockdown. CL doesn’t have this util and no any info about similar and you just skip this important question.

If clearlinux doesn’t meet your requirements, you should absolutely make that decision. We’ll consider your feedback, thanks for letting us know.

1 Like

Maybe lockdown (in Ubuntu) need for locking install any kernel-sensitive (dkms) and drivers things which don’t have sign, and maybe CL doesn’t need this such an approach by bundle/modules control/design.

But these are some blind/wrong guesses. Why should we guess? Can we hope to see a full, comprehensive chapter in offical doc on this? There is no hurry, but it is important.

Any online docs” debian or redhat based refer to mokutil (that missing in CL) that enables or no lockdown mode. And decided to describe it important moment in an official doc.

As an example (if you think about it as typically/common) Fedora wrote:

The Fedora Secure Boot implementation includes support for two methods of booting under the Secure Boot mechanism

What means existing of a possible different implementations in different distros and even different ways/mechanisms to do. Which implementation used in CL and how it works in CL - we’re Clearly* don’t know.

There’s definitely something we could do with documentation here. Integrating mokutil might indeed be needed.

Thank you!!!
Very glad to hear that, this is very important thing, especially in nowadays.
Moreover mokutil works with native kernel function (lockdown) afaik.
And, yes, this needs to be described in documentation.

Sorry for my hot dialog, but I’ve been waiting for ~half month of clarify about it in full “radio silence” around it, that nullified further using of CL.

I think CLEAR Linux may be dose not support boot time security. But after proper installation, it always provides security to the system. I learn from a Facebook article that Linux does not allow to install any corrupted file.