Close Menu

    How to Verify, Activate, or Turn Off Secure Boot on Linux

    WillieBy Updated:No Comments5 Mins Read

    Secure Boot is a UEFI feature that checks every piece of startup software against a database of trusted cryptographic signatures. If anything in the boot chain fails verification, the system halts. This blocks rootkits and boot-level malware before your OS ever loads.

    How Secure Boot Works on Linux

    The firmware stores three types of keys that control what runs at boot:

    Key Type Purpose
    Platform Key (PK) Root authority over all key operations
    Key Exchange Key (KEK) Authorizes changes to the signature database
    Signature Database (db) Holds public keys of approved software publishers

    At startup, the firmware checks the bootloader’s signature against the db. The bootloader then checks the kernel. Both must pass before the OS runs. Distributions like Ubuntu, Fedora, and openSUSE ship pre-signed bootloaders and work with Secure Boot out of the box.

    How to Check Secure Boot Status on Linux

    Open a terminal and run:

    $ sudo mokutil --sb-state

    The output shows either SecureBoot enabled or SecureBoot disabled. The mokutil utility comes with the shim package on most distributions. If it is missing, install shim through your package manager.

    To inspect the firmware variable directly:

    $ cat /sys/firmware/efi/efivars/SecureBoot-*
    Tip: Run sudo bootctl status or sudo dmesg | grep -i secure for an alternative way to confirm Secure Boot state, especially on systemd-based distributions.

    How to Enable Secure Boot on Linux

    Secure Boot is toggled from your firmware setup screen, not from within Linux itself.

    1. Restart your computer and press the firmware key during POST — commonly F2, Del, or Esc.
    2. Navigate to the Security or Boot tab.
    3. Find the Secure Boot option and set it to Enabled.
    4. Save your settings and exit.
    Note: If your distribution was installed while Secure Boot was disabled, re-enabling it may prevent booting. A non-secure-boot shim may have been installed during setup. Test after enabling and revert if the system fails to boot.

    How to Disable Secure Boot on Linux

    Disable Secure Boot when a third-party driver, custom kernel, or unsigned bootloader blocks your system from starting.

    1. Restart and enter firmware setup using the appropriate key for your hardware.
    2. Go to the Security or Boot section.
    3. Set Secure Boot to Disabled.
    4. Save and reboot.
    Warning: Disabling Secure Boot removes verification of your startup chain. Unsigned code — including malware — can run during boot. Re-enable it as soon as the reason for disabling it no longer applies.

    Disable Secure Boot Validation from the Terminal (Ubuntu/Debian)

    On systems using shim, you can disable Secure Boot validation without entering firmware:

    $ sudo mokutil --disable-validation

    Enter a temporary password (8–16 digits) when prompted. Reboot, then follow the on-screen MOK management prompts to confirm. To re-enable validation later:

    $ sudo mokutil --enable-validation

    How to Sign a Custom Kernel for Secure Boot

    If you compile your own kernel, you must sign it before the firmware will accept it. On Debian-based systems, install the signing tools first:

    # apt-get install sbsigntools

    Generate a signing key and self-signed certificate:

    $ openssl req -new -x509 -newkey rsa:2048 \
  -subj "/CN=CustomKernel/" \
  -keyout MOK.key -out MOK.crt \
  -days 3650 -nodes

    Sign the kernel image:

    $ sbsign --key MOK.key --cert MOK.crt \
  /boot/vmlinuz -o /boot/vmlinuz.signed

    Import the certificate into the Machine Owner Key list:

    $ sudo mokutil --import MOK.crt

    Reboot and follow the on-screen prompts to enroll the key. After enrollment, the firmware trusts your signed kernel.

    Warning: Store MOK.key securely. Treat it like a password. Lock down file permissions with chmod 600 MOK.key. Anyone with access to this key can sign arbitrary code your firmware will trust.

    Practical Tips for Managing Secure Boot on Linux

    • After any kernel or bootloader update, confirm the new files are correctly signed before rebooting.
    • Review boot-time signature errors with journalctl -b | grep -i secureboot.
    • Check firmware variables at /sys/firmware/efi/efivars/ to inspect current key state.
    • Pair Secure Boot with a firewall and regular package updates — it only protects the boot chain, not the running system.

    FAQs

    Run sudo mokutil --sb-state in a terminal. The output reads either SecureBoot enabled or SecureBoot disabled. Alternatively, run sudo bootctl status on systemd-boot systems.

    Yes, on systems using shim. Run sudo mokutil --disable-validation, set a temporary password, then reboot and confirm via the MOK management screen.

    Windows will still boot, but its Secure Boot protections are also removed. Re-enable Secure Boot after resolving your Linux boot issue to restore protection for both operating systems.

    Your distribution may have installed an unsigned shim when Secure Boot was disabled at install time. Reinstall with Secure Boot enabled, or enroll your bootloader’s key using mokutil --import.

    Yes. Kernel updates can replace the signed image. Confirm the new kernel is signed by running sudo mokutil --sb-state after reboot, and check journalctl -b | grep -i secureboot for errors.

    Willie has over 15 years of experience in Linux system administration and DevOps. After managing infrastructure for startups and enterprises alike, he founded Command Linux to share the practical knowledge he wished he had when starting out. He oversees content strategy and contributes guides on server management, automation, and security.

    Related Posts