-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to add Microsoft/vendor certs to the signature database #40
Comments
This. Right now my options are
|
There are a few solutions I want to implement:
This has mostly been improving the APIs for dealing with signature lists and databases in |
I have implemented support in the master branch for enrolling Microsoft signing certs. This needs to be explicitly done, but it's a nice start. This also sports a This is partially based on work by @zaolin :)<3 λ sbctl master» sudo ./sbctl enroll-keys ‼ File is immutable: /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c ‼ File is immutable: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f You need to chattr -i files in efivarfs λ sbctl master» sudo chattr -i /sys/firmware/efi/efivars/{db,KEK}* λ sbctl master» sudo ./sbctl enroll-keys Enrolling keys to EFI variables...✓ Enrolled keys to the EFI variables! λ sbctl master» sudo ./sbctl status Installed: ✓ sbctl is installed Owner GUID: a7b893cc-949d-408c-b5cc-6e7d0370fdb6 Setup Mode: ✓ Disabled Secure Boot: ✗ Disabled λ sbctl master» sudo ./sbctl reset ✓ Removed Platform Key! Use `sbctl enroll-keys` to enroll the Platform Key again. λ sbctl master» sudo ./sbctl enroll-keys --microsoft Enrolling keys to EFI variables... With vendor keys from Microsoft...✓ Enrolled keys to the EFI variables! λ sbctl master» sudo ./sbctl status Installed: ✓ sbctl is installed Owner GUID: a7b893cc-949d-408c-b5cc-6e7d0370fdb6 Setup Mode: ✓ Disabled Secure Boot: ✗ Disabled Vendor Keys: microsoft |
Implemented with 4713d98 |
Unfortunately, I found out that some(?) firmwares try to validate option ROMs with the custom keys the user imported, which will not succeed and might even result in a semi-bricked motherboard when no iGPU/APU is present. Adding Microsofts or the vendors certs to the signature database seems to be the only way to use secure boot with such a setup.
See also:
The text was updated successfully, but these errors were encountered: