[SOLVED] Secure Boot with PVE coming?


Dec 29, 2020
It's the first time, that I tried to install a Proxmox server with UEFI Secure Boot enabled today and realized that it would not work.
Even the PVE8 docs (https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm#PVE_Kernel_fails_to_boot) tell that Secure Boot should just be disabled.

This thread from 2019 mentions:
@fabian: We don't offer signed kernel images or Grub (yet), so there is no Secure Boot with PVE.

As Secure Boot is kind of nice I wonder if there are any plans to ship signed PVE kernel images in foreseeable future?
Last edited:

I see this topic is 'solved' but if i may i temporarily would open it again.

I am not very seasoned secure boot user but still from time to time i take interest in sb. Somehow randomly i stumbled to observe phenomena that running blktrace/blkparse is not successful (why i took interest into blktrace is another story :) on ordinary Ubuntu/Debian like this

# blktrace -a discard -d /dev/vda -o - | blkparse -i -
Thread 3 failed open /sys/kernel/debug/block/vda/trace3: 1/Operation not permitted
FAILED to start thread on CPU 0: 1/Operation not permitted
root@pbs-adala-3:~dmesg -T | tail -n 8
[Mon Sep 4 01:39:52 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7

Turns out reason for this is computer has secure boot enabled and more or less automatically it triggers among other things kernel lockdown, newer Ubuntu and Debian kernels have ('man 7 kernel_lockdown')

# grep CONFIG_SECURITY_LOCKDOWN_LSM /boot/config-5.10.0-25-amd64

Now i would like to ask if it would be ok to run proxmox backup server v. 2.4/3.0 with vanilla debian v. 11/12 kernel since using it i could have this secure boot and lockdown? I actually run pbs as virtual machine and ext4 filesystems etc so i think i dont loose much not having pve kernel there in this regard; but otherwise i am thinking to myself if having sb enabled on pbs maybe pbs is otherwise tampered.

And i also, since it seems pve kernels do not have lockdown turned on

# grep CONFIG_SECURITY_LOCKDOWN_LSM /boot/config-6.2.16-4-bpo11-pve

would like to ask when you do include secure boot officially do you consider also having lockdown feature turned on? (I wonder if it somehow contradicts with pbs or pve setup in general.)

Best regards,


Just wanted to say thanks, in PVE v. 8.1 (and in PBS v. 3.1) i see secure boot and kernel lockdown behave to my mind exactly as expected!

Best regards,



The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!