Debian 10 (“Buster”) Secure Boot Installation and Troubleshooting (2019–07–07)

Getting Started

• Review Release Notes
• Download installation ISO file (Torrent link)

(2019-10-28): It may also be a good idea to install using the unofficial live+nonfree image to avoid missing drivers
https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/10.1.0-live+nonfree/amd64/iso-hybrid/

• Simply cp .iso to usb raw device. (yes, just cp the file, it’s magic), e.g:

$ sudo umount /mnt/{automount}
$ cp debian-10.0.0-amd64-DVD-1.iso /dev/sdb

• Reboot and modify your system BIOS and ensure EFI settings are enabled and working for all of your devices. This is where you should also be enabling Secure Boot.
• Some legacy video cards do not have UEFI compatible “vbios” or might have a “dual bios” setting so they can work in “Legacy” BIOS mode. They sometimes get “stuck” in the legacy mode. You may need to play with booting/shutdown/rebooting clearing CMOS and yanking power cord / clearing residual power to get these devices lined up in and working in EFI mode. My system (HP Z420) required lots of patience and trying/retrying clearing BIOS but eventually it booted with all EFI settings enabled (from “Legacy mode”) and Secure Boot enabled (with default “HP Keys”). If your card(s) do NOT support EFI, then to my knowledge then they will have to be replaced.
• Boot the Debian 10 installation media and run through installation. Disk Encryption can take awhile (e.g. hours) to overwrite disk in preparation for encryption. Install Cinnamon.
• Verify Secure Boot

root@debian:~# dmesg | grep secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI secure boot; see https://wiki.debian.org/SecureBoot
root@debian:~# mokutil --sb-state
SecureBoot enabled

Troubleshooting

Problem 1: System hangs at first boot complaining about ‘amdgpu’ firmware.

First boot after install, kernel boots and complains that ‘amdgpu’ drivers are not installed and to see https://wiki.debian.org/Firmware. System hangs before GUI loads with blinking cursor (_)

Solution

1. At the stuck screen, switch to CLI console and login with root (cntl + alt + F2)
2. Modify /etc/apt/sources.list
3. Edit sources and add ‘contrib nonfree’ to existing buster “main” sources:

deb http://deb.debian.org/debian/ buster main contrib non-free
deb-src http://deb.debian.org/debian/ buster main contrib non-free

5. apt-get update; apt-get upgrade

6. apt-get install firmware-linux-free

7. Reboot

Problem 2: dmesg says “secure boot not enabled”

This is likely a BIOS config issue. If you did not properly enable EFI and SecureBoot before installing Debian 10, your system is not in the proper BIOS state. Simply changing the BIOS at this point may not work as the EFI boot loader / Master Boot Record boot configurations are not compatible; Meaning you will probably have to reinstall OR do some kind of boot to recovery mode and grub EFI dance once your BIOS settings are sorted.

Problem 3: What happened to Terminal?

You can use xterm and apt or Open Synaptic Package Manager and install “gnome-terminal” package. cntl + alt + t FTW

Problem 4: Installing the latest Firefox on Debian 10? Firefox-esr is too old.

#(2019–10–29): Use snapd as an alternative to modifying apt packages / Pinningunstable
sudo apt-get install snapd
sudo snap install firefox
# (annoying bug): snapd applications do not populate on the cinnamon launcher (unknown reason), so applications do not show up after installing unless you copy or symlink them manually
cd ~/.local/share/applications
ln -s /var/lib/snapd/desktop/applications/* .
#Add udev rules for all u2f devices
cd /etc/udev/rules.d
sudo wget https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules
#reload udevadm to have it pull in the new rules (or just reboot)
udevadm control --reload-rules && sudo udevadm trigger
# snap version of firefox does not allow u2f devices to work out of the box. This change allows this to happen.
snap connect firefox:u2f-devices

Use Debian Package pinning. Below are steps to do this mostly safely. Use at own risk.

1. Create a /etc/apt/preferences file:

cat /etc/apt/preferences
Package: *
Pin: release a=stable
Pin-Priority: 700
Package: *
Pin: release a=testing
Pin-Priority: 650
Package: *
Pin: release a=unstable
Pin-Priority: 600

2. Add the unstable package sources to /etc/apt/sources.list

#Unstable
deb http://deb.debian.org/debian unstable main non-free contrib
deb-src http://deb.debian.org/debian unstable main non-free contrib

3. sudo apt-get update; sudo apt-get upgrade; sudo apt-get install firefox

You may need to install specific “/unstable” packages, such as libnspr4, do the following:

apt-get install libnspr4/unstable