We’re excited to announce the release of Nitrux SB Manager, a streamlined utility designed to simplify Secure Boot management on Nitrux. With this utility, users can effortlessly generate Machine Owner Keys (MOK), sign kernels for Secure Boot, and enroll keys directly into the UEFI firmware.
Nitrux SB Manager, our utility to sign kernels.
What is a Machine Owner Key (MOK)?
A Machine Owner Key (MOK) is a cryptographic key pair used in the Secure Boot framework to authenticate and verify the integrity of boot-related software, such as the Linux kernel and kernel modules.
The MOK allows users to create and manage their keys for signing software, enabling them to add custom kernels or modules to a Secure Boot-enabled system without deactivating it.
What is Secure Boot?
Secure Boot is a security standard developed by the Unified Extensible Firmware Interface (UEFI) Forum to protect systems from malicious software that attempts to load during the boot process. When Secure Boot is enabled, the firmware checks the digital signature of each piece of boot software—such as bootloaders, operating systems, and kernel modules—against a trusted certificate store. Only software with a valid signature can execute, preventing unauthorized or malicious code from running.
It protects your system from malicious software by ensuring only signed and trusted code runs at startup. Sounds great in theory, right? However, in practice, Secure Boot often feels like a brick wall for those who want to use Linux.
To make this process smoother and less intimidating, we’ve created Nitrux SB Manager, a tool built to simplify Secure Boot configuration and kernel signing.
Nitrux SB Manager
https://github.com/Nitrux/sb-manager
Nitrux SB Manager is a simple utility that creates machine owner keys (MOK) compatible with Secure Boot.
⚠️ Important: Nitrux SB Manager is intended to work exclusively in Nitrux OS, and using this utility in other distributions will break them or not work at all. Please do not open issues regarding this use case; they will be closed.
Overview
Nitrux SB Manager performs three steps:
- Generate Secure Boot keys.
- Sign your kernel for Secure Boot.
- Enroll keys directly into the UEFI firmware.
What SB Manager is
- Minimalistic, focusing on necessary functionality.
- It’s mostly a GUI utility.
- 100% Free and Open Source Software written entirely in POSIX-compliant scripting language.
What SB Manager is not
- A package manager.
- SB Manager does not install new kernels; it only signs them.
- An installer.
- SB Manager does not handle system or bootloader installation.
- A bootloader.
- A GUI for certificate management.
- A container, virtual machine, Live USB creator, Linux distribution, desktop environment, or “proprietary software.”
- 🔰 Information: We don’t know why anyone would think that, but one can never know, so let’s clarify that.
Requirements
- Nitrux 3.7.1+.
- 🔰 Information: The utility will work out of the box starting with the mentioned release.
Installation
For Nitrux releases where SB Manager is not available by default, do the following:
- ⚠️ Important: To permanently add SB Manager to the root, see our tutorial Filesystem, Security, Privacy, and Anonymization Features in Nitrux.
git clone --depth=1 https://github.com/Nitrux/sb-manager.git $HOME/nuts sudo cp $HOME/sb-manager/usr/bin/sb-manager /usr/bin
Usage
Run sb-manager from the terminal and follow the prompts.
- 🔰 Information: The use of this utility requires
pkexec
SB Manager does not have any configuration parameters or additional options.
SB Manager is highly automated except for asking the user for permission to perform actions and input to create the OpenSSL certificate and the MOK password.