What you always wanted to know about SecureBoot - TUXEDO Computers

  ATTENTION: To use our store you have to activate JavaScript and deactivate script blockers!  
Thank you for your understanding!

What you always wanted to know about SecureBoot

We often receive questions about what SecureBoot is and why it is deactivated by default on TUXEDO. SecureBoot is a concept that often causes confusion, especially for users who are using it for the first time. Many wonder whether this technology is really necessary and what impact it has on the use of Linux.

In practice, SecureBoot offers both advantages and limitations. A common assumption is that SecureBoot is absolutely necessary to ensure the security of a system. However, this is only an additional protective measure that ensures that only trustworthy software is executed when the system is started.

At TUXEDO Computers, we have made a conscious decision to disable SecureBoot by default. Our goal is to give our users maximum flexibility and control, especially with regard to the installation of Linux and other open source operating systems, where SecureBoot can sometimes lead to complications.

FAQ about SecureBoot

What is SecureBoot?

SecureBoot is a security function that was developed by Microsoft and was first delivered for Windows 8 from 2012 with UEFI version 2.3.1. SecureBoot is designed to protect the integrity of the boot loader and the kernel. Up to and including Windows 10, SecureBoot was optional; with Windows 11 it is a prerequisite, but Microsoft has not yet enforced it.

How does SecureBoot work?

SecureBoot works with cryptographic signatures. Every program that is loaded by the UEFI firmware contains a signature. Before the firmware allows execution, it checks whether the program is trustworthy by verifying the signature. In this way, SecureBoot ensures that the boot manager, kernel and kernel modules come from a trusted source when Linux is started and prevents untrusted programs from being executed.

SecureBoot and Linux

In order for Linux to run with SecureBoot, the corresponding components must be signed directly or indirectly by a certificate stored in the UEFI (usually from Microsoft) or a manually entered certificate. TUXEDO OS currently uses the second approach. The steps for using SecureBoot with TUXEDO OS are described below.

Requirements for SecureBoot on your TUXEDO

We are not yet activating SecureBoot as we are waiting for a Microsoft-signed shim with an embedded TUXEDO certificate. In connection with SecureBoot, a Shim is a simple software package that can be used as a first-stage boot loader on UEFI systems and loads a signed boot loader there. It also enables the simple reloading and management of own certificates (Machine Owner Keys MOKs), which are then permanently stored, with an interface that is identical for all systems.

TUXEDO OS with SecureBoot

In order to use SecureBoot with TUXEDO OS using our self-signed certificate, some manual steps are currently required:

Step 1: Required packages

By default, the shim-signed package is already pre-installed under TUXEDO OS. Check this, install it if necessary and restart the system.

Step 2: Import certificate

Download the certificate from our GitHub instance and import it as a Machine Owner Key (MOK). In addition to the sudo password, you will be asked for a one-time password, which you must repeat for security reasons.

sudo mokutil --import TUXEDO_Computers_GmbH_Secure_Boot_Signing.crt

Step 3: Import certificate

In order for our driver package tuxedo-drivers to be integrated into the process, you must import a MOK for DKMS. Before you do this, make sure that the directory /var/lib/shim-signed/mok/MOK.der exists on your system. If this is not the case, create it with the command:

sudo update-secureboot-policy --new-key

You must then reinstall all DKMS packages so that the respective modules are signed with the new key. The command will tell you which packages these are:

dkms status

This is followed by the import, where the one-time password is also requested again.

sudo mokutil --import /var/lib/shim-signed/mok/MOK.der

Step 4: Configure MokManager

Use the following command to ensure that the key is displayed in the MokManager after the restart. If nothing is displayed there, the import did not work.

sudo mokutil --list-new

To ensure that the MOKManager is displayed long enough the next time you restart, switch off its timeout:

sudo mokutil --timeout -1

Step 5: Activate SecureBoot

The next restart will open the MOKManager, where you can select Enroll MOK and click on the key in the next window to view the certificate.

Register the key via the MokManager
Register the key via the MokManager

Then restart the system. Now you can switch to the BIOS/UEFI and activate SecureBoot on the next restart.

The mask for activating SecureBoot may vary slightly depending on the UEFI implementation.
The mask for activating SecureBoot may vary slightly depending on the UEFI implementation.

Step 6: Manage certificate

Check the status of SecureBoot in the terminal at any time with the following command:

sudo mokutil --sb-state

If you want to remove a certificate from the MOK, use the following command:

sudo mokutil --delete TUXEDO_Computers_GmbH_Secure_Boot_Signing.crt

For an overview of other commands for managing the MOK and the certificate, simply enter

mokutil -h

Note: If you are not using a US keyboard layout, please note the following: When assigning the one-time password when importing the certificate, please ensure that you do not use any special characters or characters that differ between the US layout and your layout. The reason for this is that the MokManager that appears after the first reboot uses a US layout.

Service & Support

Welcome to TUXEDO Support - how can we help you?

Linux at TUXEDO

Are you wondering if Linux is right for you? Our team will be happy to answer your questions and explain details about the free operating system at TUXEDO.
Let the advantages and services convince you!

Hardware

Notebook, PC, both - and which model? Our technical service team also provides advice on selection, equipment and puts together suitable offers for your technical requirements.

Questions and Answers

Frequently asked questions and the corresponding answers can be found here. If you cannot find a solution to your problem here, it is also worth taking a look at the instructions section.


Find out more

Instructions and Tips

Most situations can be solved quickly and easily by yourself. This saves you time and you can use your device directly again. We provide you with instructions, first steps and short tips for all TUXEDO models.


Find out more

System Recovery

Even in the case of a case, you don't have to rely on us: Your device can be reset to the factory settings - completely automatically! Everything is included with your order and you can get started right away.


Find out more

Technical Service

Our competent technicians are also happy to help with service requests. You have different possibilities to contact us. We are personally there for you Monday to Friday from 9 am to 1 pm and from 2 pm to 5 pm. But also outside these times, you can contact our team with your request by e-mail.
An extra function is available in your customer account for repair requests (RMA).

 

Contact

We are personally there for you Monday to Friday from 9 am to 1 pm and from 2 pm to 5 pm (German time). But also outside these times you can contact our team with your request by e-mail. Please include your customer number, the model name of your laptop or PC and as detailed a description of your request as possible. The more details you give us, the faster we can process your request!

We might not be able to answer questions about third party hardware or software. For questions about popular open source software (Thunderbird, Filezilla...) please contact a forum e.g. ubuntuforums.org. The research effort for application specific setup is immense and not manageable at the current time. Basic compatibility questions e.g. are of course still welcome!

An extra function is available in your customer account for repair requests (RMA).

 

Shipping costs & delivery times

We ship your order to almost all countries, in Europe mostly even free of charge! The respective shipping costs and the cost threshold above which we will cover the costs for you can be found here or for international shipping in the table below.

 


Free shipping within Germany

There are no shipping costs within Germany for goods worth €100 or more.

 

7.99 € shipping cost at max!

No matter how many small articles you order, such as USB stick card reader, LAN adapters or fan articles, with us, you pay a maximum of 7.99 € shipping costs.

  • 7.99 € shipping fee for all orders below 100 € of goods
  • Free shipping from 100 € total value of goods

You can check all occurring shipping costs or if we even deliver for free right before sending your order!

 


International delivery

Here are the shipping costs as well as the amount threshold for your order. The threshold is referring to the total amount of your order, which enables free shipping.
 

Taxes and customs outside the EU:

For orders outside the EU there might be additional duties, taxes or charges needed to be paid by the customer. These don't have to be paid to the supplier, but to local authorities. Please check for any details with your local customs or tax authorities before ordering! But as a benefit you don't have to pay German taxes, this means you save up to 19%!
Due to the Brexit and the associated changes, there may be delays of several days in customs clearance on site for deliveries to the UK. This is not within our sphere of influence, so we ask for your understanding.

 


⚠️ Countries to which we unfortunately cannot ship, and information on how you can still order from us, can be found here!
Country Shipping Fee Free Shipping From
Albania 99,00 EUR -
Andorra 59,00 EUR -
Belarus Temporarily no delivery possible 59,00 EUR -
Belgium 8,49 EUR 100 EUR
Bulgaria 15,99 EUR 160 EUR
Denmark 8,49 EUR 100 EUR
Estonia 15,99 EUR 160 EUR
Faroe Islands 129,00 EUR -
Finland 14,99 EUR 150 EUR
France 9,99 EUR 120 EUR
Greece 22,90 EUR -
United Kingdom 9,99 EUR 120 EUR
Hong Kong 199,00 EUR -
India 199,00 EUR -
Ireland 14,99 EUR 150 EUR
Island 129,00 EUR -
Italy 9,99 EUR 120 EUR
Japan 99,00 EUR -
Canada 99,00 EUR -
Croatia 34,90 EUR 500 EUR
Latvia 15,99 EUR 160 EUR
Lithuania 15,99 EUR 160 EUR
Luxembourg 8,49 EUR 100 EUR
Macau 199,00 EUR -
Malta 34,90 EUR 500 EUR
Macedonia 59,00 EUR -
Moldova 199,00 EUR -
Monaco 19,00 EUR -
Montenegro 99,00 EUR -
Netherlands 8,49 EUR 100 EUR
Norway 14,99 EUR 150 EUR
Austria 8,49 EUR 100 EUR
Poland 15,99 EUR 160 EUR
Portugal 14,99 EUR 150 EUR
Romania 15,99 EUR 160 EUR
San Marino 9,99 EUR 120 EUR
Sweden 14,99 EUR 150 EUR
Switzerland 13,99 EUR 150 EUR
Serbia 34,90 EUR 500 EUR
Singapore 199,00 EUR -
Slovakia 15,99 EUR 160 EUR
Slovenia 15,99 EUR 160 EUR
Spain (without Canary Islands) 14,99 EUR 150 EUR
Czech Republic 15,99 EUR 160 EUR
Ukraine Temporarily no delivery possible 129,00 EUR -
Hungary 15,99 EUR 160 EUR
USA including Hawaii 99,00 EUR -
United Arabic Emirates 199,00 EUR -
Cyprus 34,90 EUR 500 EUR
Qatar 199,00 EUR -
⚠️ Countries to which we unfortunately cannot ship, and information on how you can still order from us, can be found here!

 


Time of delivery

If not stated differently in the article's description, we deliver goods in:

  • 7-10 working days within Germany
  • 10-12 working days outside Germany

For orders paid in advance, the delivery time starts with receipt of the payment. Please keep in mind that there is no delivery on Sundays or on holidays.
For goods delivered as download, there will be no shipping fees due.
Access data for downloads are sent out via e-mail 1-3 working days after contract formation. For orders with advanced payment, we will deliver after receiving the payment. You can download the item by using the link sent to you via e-mail.

Self-pick-up of orders is not possible, unfortunately.