[STICKY] Very simple guide for taking control of secure boot #1
Description
Introduction
The secureboot-scripts repository has a README.md file which documents the entire process of taking control of UEFI secure boot using the scripts in this repository. However it also contains a lot of waffle about the ethical issues surrounding UEFI secure boot. It also goes into great detail about how you can customize you new self-controlled UEFI secure boot environment. I understand that many novice users do not need that, and would rather just have a straight-up, no-nonsense guide on how to do the thing! So this is what this pinned issue is for.
The main reason you would want to take control of secure boot is to be able to have control over what can be booted on your own computer (as opposed to such control being exclusively in the hands of Microsoft), without giving up on certain OS-level security features across both Windows and Linux which get automatically disabled if secure boot is off. Furthermore, the anti-cheat engines of many online competitive video games mandate that secure boot be enabled on the system. That is why this method will give you the best of both worlds - the authority to decide what is or isn't allowed to boot on your own machine, with the security and compatibility that comes with having secure boot enabled.
It should be noted that no customization options will be presented here; this is designed to give you the easiest way to get to the default setup. It will also NOT explain the purposes of each of the UEFI secure boot databases, nor the purpose of each of your secure boot keys. The README.md file contains such information, and you can read that to learn more.
Prerequisites
Let's get started. You need to be running a GNU/Linux system with OpenSSL installed (that is, the openssl command-line utility). You also need Git, to be able to check out this repository. No other dependencies are required, apart from the ones which are generally assumed to be present out of the box on most GNU/Linux systems. Previously, efitools was also a dependency, but this is no longer the case, as prebuilts of efitools can now be used instead.
Check out the repository
Run the following commands to check out this repository and change directory into the source tree:
git clone https://github.com/DanielMYT/secureboot-scripts
cd secureboot-scripts
Set up efitools prebuilts
Run the following command:
./efitools/efitools-prebuilt.sh
This will automatically place the prebuilt binaries of efitools in a location that the subsequent scripts can find them. No further setup from you is required.
Generate your keys
Run the following command to generate your secure boot key set, including PK, KEK and db keys:
./generate-keys.sh
You will prompted to type your desired common name (CN) for each key. You can type whatever you want, but we recommend keeping it concise but descriptive. Here is an example:
Set up extracerts
Customizing extracerts is outside the scope of this guide. See extracerts/README.md for details. Set up the default extracerts (which includes Microsoft's certificates as well as the default MassOS certificate) by running the following command:
cp -rv extracerts.DEFAULT/{db,kek} extracerts/
Create databases
./create-databases.sh
Enter setup mode
Before proceeding to install the new secure boot key databases, you first have to place the system into setup mode. This is a special state whereby the Platform Key is cleared, and is ready for a new one to be installed. The process to do this varies from device to device, but all will require entering the UEFI firmware settings and heading to the "Security" and/or "Secure Boot" tab. The option may be named "Reset to setup mode", "Erase all secure boot keys", or anything similar. Images in the reply below will provide demonstrations of where the option is found and what it is named on certain example systems.
Install new secure boot dabases
After restarting into setup mode, you can now finally import the new secure boot databases into your firmware by using the following script (you may need to first cd secureboot-scripts again if you restarted your terminal session):
sudo ./import-to-firmware.sh
This should succeed with an output similar to what is shown in the following image if you were successfully in setup mode:
Otherwise, the following error output will occur:
If the latter appears, the process was unsuccessful. You need to ensure you are in setup mode, as described above, and as demonstrated in the images in the reply to this pinned issue. If you still can't locate the setting, feel free to send me an email, and I'll try to help point you to the specific BIOS option on your machine.
Conclusion
You should now be good to go! After running import-to-firmware.sh, the Platform Key will be installed, which automatically takes you out of setup mode. It may, however, not automatically re-enable secure boot by default. If this is the case, you will now need to head back into your BIOS settings and turn on secure boot if you want to make use of your newly configured secure boot environment.
A second pinned issue will shortly follow with a detailed guide on how to sign EFI binaries using your new key set - this is required if you want to boot anything that isn't pre-signed by (e.g.) Microsoft.
Please note that, on some machines, BIOS updates and/or CMOS resets may cause the secure boot databases to be reset back to the factory defaults. If this occurs, you do NOT need to redo this entire process again; you just need to boot the system back into setup mode and then re-run import-to-firmware.sh.