secure bootin'

2025-11-18 #sysadmin #debian #secureboot #security

So, today I tried to do one of my elaborate installs Debian on my new MS-01 - I basically boot a live CD, then run some shell scripts I wrote that create ZFS filesystems then use debootstrap to blat a system on to it. It works quite well, and also installs SSH and keys so that the rest of the setup can be done remotely and automatically via Ansible.

Part of that is of course building the zfs kernel module and then loading it, which failed:

modprobe: ERROR: could not insert 'zfs': Key was rejected by service

Some kagi'ing led me to find that this is a secure boot thing and the fix is easy:

$ mokutil --import /var/lib/dkms/mok.pub

which seems fair enough.

modprobe: ERROR: could not insert 'zfs': Key was rejected by service

Ah, still can't load the module. Seems reasonable that a change like this needs a reboot, so let's do that:

Failed to open \EFI\BOOT\mmx64.efi - Not Found
Failed to load image \EFI\BOOT\mmx64.efi: Not Found
Failed to start MokManager: Not Fond
Something has gone seriously wrong: import_mok_state() failed

Well.

So let's try some things:

ensure I'm booting USB and not something from the internal disk
disable secure boot
reset keys
reset it all to factory

none of which actually seemed to help. This is quite exciting! I'm old, in my day machines had "disks" and they contained just about the entire state of the machine, aside from the BIOS boot loader's preference on which of this disks to jump to, so I have no idea what state might be left to break my system.

Some more kagi'ing leads me to this, which suggests that you need a file called mmx64.efi in the UEFI partition on the USB boot drive. Sure, let's hack up the USB key, mount it on another machine and let's go.

Oh wait, it's a giant ISO. I very much do not want to have to rebuild debian-cd to do this.

Fortunately, someone else looked at the partition table of the Debian Live CDs a bit more carefully than I:

@gnomed There is a second FAT partition with the same layout (efi/boot). I managed to boot the USB stick by renaming the file accordingly.

Christian Rauch, Mar 12, 2019 at 20:04

And so I could just mv grubx64.efi to mmx64.efi on the tiny FAT partition on the USB key, then boot again, then get in to the Debian installer.