enable Linux kernel gpg verification in grub and/or enable Secure Boot by default

Since we are going for allow loading signed kernel modules by default / disallow kernel module loading by default, should we also work towards enable Linux kernel gpg verification in grub and/or enable Secure Boot by default?

Looks doable in principle.

KVM: supports both EFI boot and Secure Boot.

On https://blog.heckel.io/2018/08/06/booting-image-files-and-isos-with-kvm-qemu-efi-and-bios/ see 2. Booting image files with KVM (EFI)

The https://packages.debian.org/buster/ovmf ships an EFI BIOS.

sudo apt install ovmf

Other search results indicate it also supports Secure Boot.

VirtualBox: supports EFI boot (VBoxManage modifyvm "VM name" --firmware efi) but does not support Secure Boot (yet?)

Maybe we could enable Linux kernel gpg verification in grub anyhow?

Whonix Host: Would be nice if it could be booted with Secure Boot enabled. Even if security benefits are contested, this would increase compatibility/usability.

Secure Boot in Debian generally:

Secure Boot generally:



Software Freedom / ethical considerations:
At least some points (I am not an experiment on the subject) of which FSF are making
are very valid. Secure Boot in effect has lead to fewer people capable of running alternative operating systems such as linux distributions on the PC computer hardware which they thought they fully own as well as other hardware which as locked bootloaders which cannot be unlocked which then result in vendor lock-in with respect to the operating system. Needless to say, this is very wrong.
This development discussion however does not concern this. If Secure Boot support in Whonix gets implemented, it may improve usability (on Whonix Host) and/or security, but it does not limit what users can do with their hardware or Whonix. It will still be possible to disable Secure Boot and/or to disable Secure Boot after starting Whonix and/or to disable this in Whonix source code for custom builds.

1 Like

Maybe interesting for experimentation, upgrading existing VMs from grub-pc to grub-efi:

Secure Boot chain-loading bootloader (Microsoft-signed binary)

This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or against a built-in signature database. Its purpose is to allow a small, infrequently-changing binary to be signed by the UEFI CA, while allowing an OS distributor to revision their main bootloader independently of the CA.

This package contains the version of the bootloader binary signed by the Microsoft UEFI CA.


1 Like
1 Like


I’m not objecting to adding support EFI support for VM creation, but e.g.
QEMU/KVM requires a separate efi disk (-efidisk0 ....) whereas the VMs as used in VirtualBox don’t require such an extra disk, so it’s not entirely trivial.

If anyone wants to work on this, I’d be more than happy to accept PRs, but I probably won’t have time to work on this in my spare time.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]