What you always wanted to know about SecureBoot

ATTENTION: To use our store you have to activate JavaScript and deactivate script blockers!
Thank you for your understanding!

What you always wanted to know about SecureBoot

We often receive questions about what SecureBoot is and why it is deactivated by default on TUXEDO. SecureBoot is a concept that often causes confusion, especially for users who are using it for the first time. Many wonder whether this technology is really necessary and what impact it has on the use of Linux.

In practice, SecureBoot offers both advantages and limitations. A common assumption is that SecureBoot is absolutely necessary to ensure the security of a system. However, this is only an additional protective measure that ensures that only trustworthy software is executed when the system is started.

At TUXEDO Computers, we have made a conscious decision to disable SecureBoot by default. Our goal is to give our users maximum flexibility and control, especially with regard to the installation of Linux and other open source operating systems, where SecureBoot can sometimes lead to complications.

FAQ about SecureBoot
TUXEDO OS with SecureBoot

FAQ about SecureBoot

What is SecureBoot?

SecureBoot is a security function that was developed by Microsoft and was first delivered for Windows 8 from 2012 with UEFI version 2.3.1. SecureBoot is designed to protect the integrity of the boot loader and the kernel. Up to and including Windows 10, SecureBoot was optional; with Windows 11 it is a prerequisite, but Microsoft has not yet enforced it.

How does SecureBoot work?

SecureBoot works with cryptographic signatures. Every program that is loaded by the UEFI firmware contains a signature. Before the firmware allows execution, it checks whether the program is trustworthy by verifying the signature. In this way, SecureBoot ensures that the boot manager, kernel and kernel modules come from a trusted source when Linux is started and prevents untrusted programs from being executed.

SecureBoot and Linux

In order for Linux to run with SecureBoot, the corresponding components must be signed directly or indirectly by a certificate stored in the UEFI (usually from Microsoft) or a manually entered certificate. TUXEDO OS currently uses the second approach. The steps for using SecureBoot with TUXEDO OS are described below.

Requirements for SecureBoot on your TUXEDO

We are not yet activating SecureBoot as we are waiting for a Microsoft-signed shim with an embedded TUXEDO certificate. In connection with SecureBoot, a Shim is a simple software package that can be used as a first-stage boot loader on UEFI systems and loads a signed boot loader there. It also enables the simple reloading and management of own certificates (Machine Owner Keys MOKs), which are then permanently stored, with an interface that is identical for all systems.

TUXEDO OS with SecureBoot

In order to use SecureBoot with TUXEDO OS using our self-signed certificate, some manual steps are currently required:

Step 1: Required packages

By default, the shim-signed package is already pre-installed under TUXEDO OS. Check this, install it if necessary and restart the system.

Step 2: Import certificate

Download the certificate from our GitHub instance and import it as a Machine Owner Key (MOK). In addition to the sudo password, you will be asked for a one-time password, which you must repeat for security reasons.

sudo mokutil --import TUXEDO_Computers_GmbH_Secure_Boot_Signing.crt

Step 3: Import certificate

In order for our driver package tuxedo-drivers to be integrated into the process, you must import a MOK for DKMS. Before you do this, make sure that the directory /var/lib/shim-signed/mok/MOK.der exists on your system. If this is not the case, create it with the command:

sudo update-secureboot-policy --new-key

You must then reinstall all DKMS packages so that the respective modules are signed with the new key. The command will tell you which packages these are:

dkms status

This is followed by the import, where the one-time password is also requested again.

sudo mokutil --import /var/lib/shim-signed/mok/MOK.der

Step 4: Configure MokManager

Use the following command to ensure that the key is displayed in the MokManager after the restart. If nothing is displayed there, the import did not work.

sudo mokutil --list-new

To ensure that the MOKManager is displayed long enough the next time you restart, switch off its timeout:

sudo mokutil --timeout -1

Step 5: Activate SecureBoot

The next restart will open the MOKManager, where you can select Enroll MOK and click on the key in the next window to view the certificate.

Then restart the system. Now you can switch to the BIOS/UEFI and activate SecureBoot on the next restart.

Step 6: Manage certificate

Check the status of SecureBoot in the terminal at any time with the following command:

sudo mokutil --sb-state

If you want to remove a certificate from the MOK, use the following command:

sudo mokutil --delete TUXEDO_Computers_GmbH_Secure_Boot_Signing.crt

For an overview of other commands for managing the MOK and the certificate, simply enter

mokutil -h

Note: If you are not using a US keyboard layout, please note the following: When assigning the one-time password when importing the certificate, please ensure that you do not use any special characters or characters that differ between the US layout and your layout. The reason for this is that the MokManager that appears after the first reboot uses a US layout.

Service & Support

Welcome to TUXEDO Support - how can we help you?

Linux at TUXEDO

Are you wondering if Linux is right for you? Our team will be happy to answer your questions and explain details about the free operating system at TUXEDO.
Let the advantages and services convince you!

Hardware

Notebook, PC, both - and which model? Our technical service team also provides advice on selection, equipment and puts together suitable offers for your technical requirements.

Questions and Answers

Frequently asked questions and the corresponding answers can be found here. If you cannot find a solution to your problem here, it is also worth taking a look at the instructions section.

Find out more

Instructions and Tips

Most situations can be solved quickly and easily by yourself. This saves you time and you can use your device directly again. We provide you with instructions, first steps and short tips for all TUXEDO models.

Find out more

System Recovery

Even in the case of a case, you don't have to rely on us: Your device can be reset to the factory settings - completely automatically! Everything is included with your order and you can get started right away.

Find out more

Technical Service

Our competent technicians are also happy to help with service requests. You have different possibilities to contact us. We are personally there for you Monday to Friday from 9 am to 1 pm and from 2 pm to 5 pm. But also outside these times, you can contact our team with your request by e-mail.
An extra function is available in your customer account for repair requests (RMA).

Contact

We are personally there for you Monday to Friday from 9 am to 1 pm and from 2 pm to 5 pm (German time). But also outside these times you can contact our team with your request by e-mail. Please include your customer number, the model name of your laptop or PC and as detailed a description of your request as possible. The more details you give us, the faster we can process your request!

We might not be able to answer questions about third party hardware or software. For questions about popular open source software (Thunderbird, Filezilla...) please contact a forum e.g. ubuntuforums.org. The research effort for application specific setup is immense and not manageable at the current time. Basic compatibility questions e.g. are of course still welcome!

An extra function is available in your customer account for repair requests (RMA).

Country	Shipping Fee	Free Shipping From
Albania	99,00 EUR	-
Andorra	59,00 EUR	-
~~Belarus~~ Temporarily no delivery possible	~~59,00 EUR~~	-
Belgium	8,49 EUR	100 EUR
Bulgaria	15,99 EUR	160 EUR
Denmark	8,49 EUR	100 EUR
Estonia	15,99 EUR	160 EUR
Faroe Islands	129,00 EUR	-
Finland	14,99 EUR	150 EUR
France	9,99 EUR	120 EUR
Greece	22,90 EUR	-
United Kingdom	9,99 EUR	120 EUR
Hong Kong	199,00 EUR	-
India	199,00 EUR	-
Ireland	14,99 EUR	150 EUR
Island	129,00 EUR	-
Italy	9,99 EUR	120 EUR
Japan	99,00 EUR	-
Canada	99,00 EUR	-
Croatia	34,90 EUR	500 EUR
Latvia	15,99 EUR	160 EUR
Lithuania	15,99 EUR	160 EUR
Luxembourg	8,49 EUR	100 EUR
Macau	199,00 EUR	-
Malta	34,90 EUR	500 EUR
Macedonia	59,00 EUR	-
Moldova	199,00 EUR	-
Monaco	19,00 EUR	-
Montenegro	99,00 EUR	-
Netherlands	8,49 EUR	100 EUR
Norway	14,99 EUR	150 EUR
Austria	8,49 EUR	100 EUR
Poland	15,99 EUR	160 EUR
Portugal	14,99 EUR	150 EUR
Romania	15,99 EUR	160 EUR
San Marino	9,99 EUR	120 EUR
Sweden	14,99 EUR	150 EUR
Switzerland	13,99 EUR	150 EUR
Serbia	34,90 EUR	500 EUR
Singapore	199,00 EUR	-
Slovakia	15,99 EUR	160 EUR
Slovenia	15,99 EUR	160 EUR
Spain (without Canary Islands)	14,99 EUR	150 EUR
Czech Republic	15,99 EUR	160 EUR
~~Ukraine~~ Temporarily no delivery possible	~~129,00 EUR~~	-
Hungary	15,99 EUR	160 EUR
USA including Hawaii	99,00 EUR	-
United Arabic Emirates	199,00 EUR	-
Cyprus	34,90 EUR	500 EUR
Qatar	199,00 EUR	-

What you always wanted to know about SecureBoot - TUXEDO Computers

Settings

Customer Account