You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$ sbctl status
==> WARNING: Setup Mode: Enabled
==> WARNING: Secure Boot: Disabled
$ sbctl create-keys
==> Creating secure boot keys...
-> Using UUID d6e9af79-c6b5-4b43-b893-dbb7e6570142...
==> Signing /usr/share/secureboot/keys/PK/PK.der.esl with /usr/share/secureboot/keys/PK/PK.key...
==> Signing /usr/share/secureboot/keys/KEK/KEK.der.esl with /usr/share/secureboot/keys/PK/PK.key...
==> Signing /usr/share/secureboot/keys/db/db.der.esl with /usr/share/secureboot/keys/KEK/KEK.key...
$ sbctl enroll-keys
==> Syncing /usr/share/secureboot/keys to EFI variables...
==> Synced keys!
However, in my case, since I was already in the UEFI menu, I imported the keys manually, from the .auth files. Perhaps it could make sense to have a command to export keys (and then, only the necessary .auth/.esr./.cel files) into a folder for use with either the device's UEFI firmware or KeyTool.
Finally, what do you think of moving keys across devices? Should it be a supported thing, or should users just manually copy the /usr/share/secureboot folder?
The text was updated successfully, but these errors were encountered:
It should be possible to enroll a signed empty file, signed by PK and get us into setup mode. I have tried writing code for this with goefi but haven't been able to reproduce this functionality inside qemu with tianocore.
Some export functionality makes sense, as the actual files would probably disappear, and created on-demand, when we move from sbsigntools to goefi.
Finally, what do you think of moving keys across devices? Should it be a supported thing, or should users just manually copy the /usr/share/secureboot folder?
Not sure. If we want better secured keys, say we add yubikey support, I wonder if it's better to have sbctl.conf and allow people to point at keystores at will. Then sbctl can just do it's due diligence and ensure we know we have the enrolled keys in the keystore.
In this section of the README, we could link to some article / wiki page / something for instructions on how to put the device in Setup Mode, or just explain it ourselves. According to https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance , it should require only resetting all current Secure Boot configuration on the device.
However, in my case, since I was already in the UEFI menu, I imported the keys manually, from the
.auth
files. Perhaps it could make sense to have a command to export keys (and then, only the necessary.auth
/.esr.
/.cel
files) into a folder for use with either the device's UEFI firmware or KeyTool.Finally, what do you think of moving keys across devices? Should it be a supported thing, or should users just manually copy the
/usr/share/secureboot
folder?The text was updated successfully, but these errors were encountered: