Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Good News] Lenovo Thinkpad Yoga L13 AMD Gen 2 does not brick when removing vendor+ms keys. #317

Open
schichtnudelauflauf opened this issue May 24, 2024 · 5 comments
Open

[Good News] Lenovo Thinkpad Yoga L13 AMD Gen 2 does not brick when removing vendor+ms keys. #317

schichtnudelauflauf opened this issue May 24, 2024 · 5 comments

Comments

@schichtnudelauflauf
Copy link

If somewhere in this niche is a list of devices that definitely brick or not brick. Feel free to add this.

Setup, Bootmenu and Diagnostics still work after removing everything but a fresh PK and KEK that never signed anything except pk->kek. DB completely empty.

Machine Type Model 21AES01900
Vendor Firmware R1QET34W (1.20). (Not latest, will try again on latest.)

Also MSI Gamerboards seem to not brick. But also smell a lot like bypassable secboot issues.
@afontenot
Copy link

Thanks for providing this info, I've been curious about this and have a similar system here.

Could you provide the output of sbctl status and sbctl list-enrolled-keys? I'm curious about what a correctly set up configuration without the vendor keys looks like.

@afontenot
Copy link

afontenot commented Jun 2, 2024
edited
Loading

For the record I did end up trying this and am not seeing issues at present, although I did whitelist two individual keys from the TPM eventlog. Machine is a ThinkPad E14 Gen 4 AMD.

$ sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     [UUID]
Setup Mode:     ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    tpm-eventlog

$ sbctl list-enrolled-keys
PK:
  Platform Key
KEK:
  Key Exchange Key
DB:
  Database Key

Maybe successes / failures could be recorded in a wiki somewhere?

@IPlayZed
Copy link
Sponsor

If we track platforms I can provide at least 3 configurations where I validated that clearing vendor keys does not cause any problems.

Besides going into the firmware setting and clearing the vendor keys, have you done any specific thing?

@schichtnudelauflauf
Copy link
Author

schichtnudelauflauf commented Jun 12, 2024
edited
Loading

I deleted all keys, then created keys with a fresh sbctl config and enrolled them using it. I added the microsoft 3rd party ca and 3 boot services hashes from the tpm eventlog.
Then I tested each boot with one element removed.
First one removed was microsoft 3rd party ca.
After that shim wasnt booting anymore as intended.
Then I removed the hashes from tpm eventlog in decreasing numerical order. Inbetween each I rebooted and powercycled and checked if I can still access the bios config menu.
It still worked after all hashes were gone.

I have never signed any boot file with the generated key so nothing after firmware would execute without ms 3rd party because its faster to check with a denied shellx64.efi and the firmware menus than actually booting anything bigger.

The MSI boards aside was more in line of not giving a damn. The only thing that wouldn't work is an nvidia oprom from an addon gpu

@0x09AF
Copy link

0x09AF commented Jul 2, 2024

I successfully enrolled my own keys (without Microsoft ones) on my Lenovo ThinkPad E14 Gen 4 (Intel). I did:

sbctl create-keys
sbctl enroll-keys -t
sbctl sign -s /boot/EFI/<all_present_bootloaders>

then enabled Secure Boot in UEFI settings, rebooted and all works
I have the same exact output as @afontenot in the comment above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@afontenot @IPlayZed @schichtnudelauflauf @0x09AF