Is there a way to use secure boot with qubes?

[Guerlan]

My computer complains about bad signature when I try to install qubes. Is there a way to install it without disabling secure boot? Does qubes support secure boot? Is there a way to install qubes keys on the BIOS? Why did it reject the keys?

[Guerlan]

On Wednesday, November 8, 2017 at 6:52:14 PM UTC-2, Guerlan wrote:
> My computer complains about bad signature when I try to install qubes. Is there a way to install it without disabling secure boot? Does qubes support secure boot? Is there a way to install qubes keys on the BIOS? Why did it reject the keys?

its a razer blade stealth 2016 or 2017 model

[Tai...@gmx.com]

On 11/08/2017 03:52 PM, Guerlan wrote:

> My computer complains about bad signature when I try to install qubes. Is there a way to install it without disabling secure boot? Does qubes support secure boot? Is there a way to install qubes keys on the BIOS? Why did it reject the keys?
>

If you can't turn off "secure" boot then return your computer and buy
one for real (as of now it is simply a lease if you can't install
whatever OS and bootloader you want).
Owner controllability is very important, I suggest a lenovo g505s with
coreboot (this laptop has open source init unlike many others and it has
no ME/PSP or hardware code signing enforcement)

[Guerlan]

I can turn it off, its a simple BIOS switch, but I wanted to know if it's possible to install with secure boot, so I don't need to trust my pen drive for example.

[blacklight]

On Wednesday, 8 November 2017 20:52:14 UTC, Guerlan wrote:
> My computer complains about bad signature when I try to install qubes. Is there a way to install it without disabling secure boot? Does qubes support secure boot? Is there a way to install qubes keys on the BIOS? Why did it reject the keys?

the question is more that if secureboot supports qubes, rather than the otherway around. to be supported by secureboot, one would need to buy a very expensive license from microsoft, something qubes is not able afford atm.

[Guerlan]

thanks, now I understand. I thought qubes had a signature but it was failing in my computer. I'm gonna try to install without secure boot then :)

[blacklight]

btw you can use qubes's AEM as a poor mans secure boot solution.

[Yuraeitha]

Some motherboards require you to not only disable secure boot, but also to clear (delete) the keys, before it allows you to install through UEFI/EFI. I don't know how many motherboards does this, it's just personal experience.

But be sure you don't got anything installed relying on the secure boot keys, or it's byebye to that install. Like Windows or a Linux distributions that supports secure boot for example. This includes any backups you got laying around you may want to use later.

If I recall correctly, the brand I had this issue with was an ASUS board model.
Either way, just in case you encounter this issue.

[Leo Gaspard]

This is wrong.

On many computer UEFIs, you can add additional root keys. Qubes could
have a Qubes key available that people can add in their UEFI settings,
and sign the kernels etc. with it.

As far as I know that's not yet the case though, so you'd have to do the
signing yourself. A bit sad for people without TPM, but I guess the
development effort is better spent elsewhere.

[cooloutac]

It only cost 100 dollars. But you don't even have to use microsoft key, you can create your own.

[cooloutac]

I just always go back to hacking teams bios exploits which were prevented if secure boot is on.