-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Good News] Lenovo Thinkpad Yoga L13 AMD Gen 2 does not brick when removing vendor+ms keys. #317
Comments
Thanks for providing this info, I've been curious about this and have a similar system here. Could you provide the output of |
For the record I did end up trying this and am not seeing issues at present, although I did whitelist two individual keys from the TPM eventlog. Machine is a ThinkPad E14 Gen 4 AMD. $ sbctl status
Installed: ✓ sbctl is installed
Owner GUID: [UUID]
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: tpm-eventlog
$ sbctl list-enrolled-keys
PK:
Platform Key
KEK:
Key Exchange Key
DB:
Database Key Maybe successes / failures could be recorded in a wiki somewhere? |
If we track platforms I can provide at least 3 configurations where I validated that clearing vendor keys does not cause any problems. Besides going into the firmware setting and clearing the vendor keys, have you done any specific thing? |
I deleted all keys, then created keys with a fresh sbctl config and enrolled them using it. I added the microsoft 3rd party ca and 3 boot services hashes from the tpm eventlog. I have never signed any boot file with the generated key so nothing after firmware would execute without ms 3rd party because its faster to check with a denied shellx64.efi and the firmware menus than actually booting anything bigger. The MSI boards aside was more in line of not giving a damn. The only thing that wouldn't work is an nvidia oprom from an addon gpu |
I successfully enrolled my own keys (without Microsoft ones) on my Lenovo ThinkPad E14 Gen 4 (Intel). I did:
then enabled Secure Boot in UEFI settings, rebooted and all works |
If somewhere in this niche is a list of devices that definitely brick or not brick. Feel free to add this.
Setup, Bootmenu and Diagnostics still work after removing everything but a fresh PK and KEK that never signed anything except pk->kek. DB completely empty.
Machine Type Model 21AES01900
Vendor Firmware R1QET34W (1.20). (Not latest, will try again on latest.)
Also MSI Gamerboards seem to not brick. But also smell a lot like bypassable secboot issues.
The text was updated successfully, but these errors were encountered: