I learned something very interesting about Debian 12 last night

I figured out a way to enable Secure Boot in an Arch-based distribution - I’ve tested the method on both Garuda (Dragonized and xfce versions) and Manjaro so far - more on that in another post.

While looking for a few non-Arch-based distributions that don’t successfully boot with Secure Boot enabled, I spun up Debian 12-xfce. To my surprise, it booted and installed successfully with Secure Boot enabled in the VM. When I rebooted into the installed system in the VM, it also booted successfully so as far as I can tell, Debian 12 has Secure Boot support implemented. I didn’t have to sign any images or anything! All I had to do was install it from the ISO I downloaded - debian-live-12.2.0-amd64-xfce.iso.

I know that many who see this have absolutely no interest in enabling Secure Boot on their computers, but for me, it’s an additional stumbling block I can put in the way of hackers/miscreants who may want to get into my system. As far as I’m concerned, the smaller I can make my system’s attack surface, the better. I hope others find this bit of information as interesting as i do :slight_smile: ,



Yes it has.
Other people are trying, eg see this from the Gentoo forums

I wonder if Devuan 5 has it? It should follow Debian

Maybe I’ll check that out later tonight :slight_smile:


I tried to boot the latest Devuan ISO in a VM with Secure Boot enabled. No joy, so it doesn’t support Secure Boot out of the box like Debian seems to do. I must admit, I’m a bit surprised by that.




I created a Devuan VM using the live-xfce ISO, and after installation the VM would not boot. In fact the VM window closed so I couldn’t troubleshoot either. Next I got the desktop installer. This time, the system installed and restarted successfully with Secure Boot disabled. All the packages I used in the Arch-based distributions seemed to be already installed but when I enabled Secure boot and restarted, the system would not boot so I tried installing rEFInd and setting things up as I did in the previously mentioned Arch-based distributions. All I got was a recurring MOK management tool and when I used the continue option after completing the first run of the MOK registration, the system did not boot successfully. At that point I decided that the effort was not worth the bother and removed the VM. Along the way, sudo was not enabled for my user. When I tried to set it up, the path to the tools I needed (/etc/sbin) was not included in the PATH variable, so I added it using the usual export echo command I knew. That didn’t work as I expected so I edited the path entry in /etc/profile (something I never like doing because mistakes can have unexpected results). All in all, Devuan is a nice distribution, but there are a lot of little things the developers need to fix for me to try using it in any sort of production environment.

This has been my experience with it, hopefully others have better experiences.

That is deliberate. The old fashioned idea was that superuser commands should not be in your PATH, you should type in the full path. This ensures that you get the intended command and not a trojan horse. It is a security provision.

Given that the Devuan people are the old school Debian group, it is not surprising that they implemented this.

I am not surprised it fails under secure boot. The way secure boot is supported in Debian is probably systemd dependent.

Which init system did you choose? I use runit in my Devuan
You probably got sysvinit if you took the default.

Thanks for trying it. We know where it stands now in relation to secure boot.

That may be why I was able to enable it (Secure Boot) in the Arch-based distributions I tried (Garuda Dragonized, Garuda-xfce, and Manjaro). I like Garuda Dragonized well enough that I have it on my primary laptop PC, at least for a while. I’m going to put Manjaro with the xfce DE on my older laptop again now that I know how to set up Secure Boot the easy way :slight_smile:.


1 Like

Distrowatch has a list of distros that support secure boot.(via shim)

They are nearly all systemd distros, except the BSD ones.
I looked at shim.c it does not seem to have systemd calls?

I took a look at the list of distributions that support Secure Boot and of the Linux distributions there, I’ve either found them already or nixed them for one reason or another. At this point, I’m going to stick with the Arch-based distributions for a while because I’ve learned how to enable Secure Boot in them using packages from AUR. I had hoped that more distributions that don’t support Secure Boot out-of-the-box would at least have the packages needed to enable it in one of their repositories, but that doesn’t seem to be the case, either that or I haven’t learned enough about Secure Boot and the UEFI system yet. I’ll probably keep trying, off and on until I learn to use or build the needed packages from source. Most of that learning will be done using VMs so I don’t bork my hardware :slight_smile:,

Maybe some day I’ll be able to post methods for many distributions here on It’s FOSS,


1 Like