On Wed, Jun 10, 2026 at 8:49 AM Harald Dunkel <[email protected]> wrote:
> Hardware is a Lenovo P53s with Lenovo's new secure boot certificates > installed. Hi Harri, With secure boot enabled, Linux automatically sets itself into "lockdown mode" (`man 7 kernel_lockdown`). One of the effects of this is that kernel modules must be signed by a key which is trusted --- in the case of shim, a user key is automatically installed. However, because you're dealing with a Lenovo that comes with Linux from the factory, I'm not sure if they're using the shim or not. I would look into your boot logs and see if you see a line like "Loading compiled-in X.509 certificates". That will be the list of keys installed at build time and at compile time. If you see Debian in there, then you're using shim -- in that case, you can follow the instructions at: https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key to put a enroll a key and setup dkms to use it. If you're not using shim... that's a trickier problem, and I'm not sure off the top of my head how to fix it. I'd reach out to the Debian support lists and see if anyone has any suggestions. Good luck! Sincerely, -- Harlan Lieberman-Berg ~hlieberman
