about libreboot computer and debian 10 secure boot or not?

5 replies [Last post]
tonlee
Offline
Joined: 09/08/2014

https://www.debian.org/News/2019/20190706

Secure Boot support is included...

Does a libreboot thinkpad t400 support secure boot?

If I want to be able to move a debian 10 64bit
system hdd between both a libreboot thinkpad t400 and
non libreboot x86 computers, do I then install
debian 10 having secure boot enabled or
not? Thank you.

nadebula.1984
Offline
Joined: 05/01/2018

Libreboot is not UEFI, so it doesn't have "Secure Boot" of course. However, you can implement user-controllable verified boot or measured boot security features.

To share the same installation of Debian between different systems, UEFI mode with Secure Boot enabled is recommended, because this enables you to start this copy of Debian 10 on tyrant systems that don't allow users to disable Secure Boot (e.g. Razer Blade gaming notebooks). Libreboot or coreboot's payload should be able to detect the bootloader in the EFI system partition.

tonlee
Offline
Joined: 09/08/2014

> between different systems

You mean computers?

If I install debian 10
64bit on a computer having
secure boot enabled, it
will also start if the hdd
is moved to a computer having
no secure boot enabled?

And the other way around? No secure
boot enabled while installing and
moving the hdd to a computer
having secure boot enabled.

tonlee
Offline
Joined: 09/08/2014

Thinkpad t400 running the lenovo bios has no secure boot. I installed debian 10 on the
computer. Then moved the hdd to a computer which had boot mode -> uefi, efi windows boot
manager, enabled.

The computer did not start debian 10. After enabling boot mode -> legacy
support, legacy sata hdd,
the computer started debian 10. It tells me, debian 10 cannot adapt
from a computer having no secure boot to a
computer having uefi enabled.

andyprough
Online
Joined: 02/12/2015

> Thinkpad t400 running the lenovo bios has no secure boot. I installed debian 10 on the
computer. Then moved the hdd to a computer which had boot mode -> uefi, efi windows boot
manager, enabled.

> The computer did not start debian 10. After enabling boot mode -> legacy
support, legacy sata hdd,
the computer started debian 10.

Wow. I'm amazed that it worked at all.

nadebula.1984
Offline
Joined: 05/01/2018

Since you installed the OS on a non-(U)EFI system, there is no ESP on the disk, so the OS doesn't startup on a(n) (U)EFI system. Therefore Legacy mode (CSM) support is required.

However, many new systems (after M$ Losedows 10 release) don't have CSM any more. If you want to startup your OS installation on said new systems, you need to install the OS under (U)EFI mode.

If you only have libreboot/coreboot T400, it is still possible. You can try to use Tianocore (rather than SeaBIOS) as the payload. Of course, you'll need to remove the ME in order to make room (on the SPI flash) for the payload. For T400, this is also possible, because there is no "30-minute time bomb".