Skip to main content


Showing posts from September, 2023

linux-firmware and microcode

to find what drivers are needed boot live iso with gui and dmesg to see firmware loaded for i915 driver intel ice lake see required latest drivers from mine is icelake ( icl ) so  i select icl mkdir /lib/firmware/i915 nano fw-i915 curl -O curl -O curl -O chmod +x fw-i915 ./fw-i915   or manually download and move it to /lib/firmware/i915 filder  for ath10k driver qca9337 wireless card mkdir -p /lib/firmw

easy secureboot

intro Using a signed boot loader means using a boot loader signed with Microsoft's key here are two known signed boot loaders: PreLoader and shim Their purpose is to chainload other EFI binaries (usually boot loaders ) Since Microsoft would never sign a boot loader that automatically launches any unsigned binary, PreLoader and shim use an allowlist called Machine Owner Key list, abbreviated MokList. If the SHA256 hash of the binary (Preloader and shim) or key the binary is signed with (shim) is in the MokList they execute it, if not they launch a key management utility which allows enrolling the hash or key.  The enrollment of the Microsoft 3rd Party UEFI CA certificate needs to be enabled in firmware settings to launch EFI binaries and OpROMs signed with this certificate.    using shim When run, PreLoader tries to launch loader.efi debian kernel and modules are already signed with debian keys   /sbin/modinfo snd sig_id:         PKCS#7 signer:         Debian Secure Boot CA s

debian stable bootstrap

apk add debootstrap arch-install-scripts   prepare partition  doas mkfs.ext4 -O ^has_journal   /dev/nvme0n1p3 doas mount /dev/nvme0n1p3 /mnt   bootstrap using debootstrap   --print-debs for listing pkg to be installed  debian available releases are stable,testing,unstable debootstrap --variant=minbase stable /mnt debootstrap --include=apt,bash,dpkg stable /mnt   ubuntu   sudo debootstrap --arch amd64   jammy  --extractor =ar if you are using old apt without zstd support to install new image   devuan doas debootstrap --arch amd64 chimaera /mnt /usr/share/debootstrap/scripts/Chimaera security updates  nano /etc/apt/sources.list deb chimaera main contrib non-free deb chimaera-secu