Skip to content

Latest commit

 

History

History
84 lines (68 loc) · 3.16 KB

workflow-example.md

File metadata and controls

84 lines (68 loc) · 3.16 KB
Raw

Example Workflow

This is an example workflow for enrolling custom secure boot keys on a ASUS Z170-A motherboard. These instructions can be applied to any other firmware, but the exact steps to be taken in the firmware setup menus may differ.

  1. Enter UEFI setup menu by press either of F2/Del/Esc/F10/F11/F12 depending on your firmware or by using systemctl --firmware-setup reboot

  2. Open the Boot/Secure Boot menu: Boot Menu

  3. Do not change OS Type to Custom as this will not enable Setup Mode! Instead open the sub-menu Key Management: Secure Boot Menu

  4. Use Clear Secure Boot Keys to enter Setup Mode: Clear Secure Boot Keys

  5. If your firmware does not provide this, you will have to manually delete the keys. Open PK Management to do so and repeat this step for KEK, DB and DBX: Delete PK Delete PK Confirmation

  6. The secure boot keys should now be cleared… Secure Boot Keys Cleared

  7. And secure boot should now be disabled. The platform key will remain loaded until the system is rebooted. Secure Boot Disabled, Platform Key Loaded

  8. Exit the firmware with the save and reset option (even if it says no changes have been performed). You may optionally enter the firmware setup again to confirm: Secure Boot Disabled, Platform Key Unloaded

  9. Confirm that setup mode is enabled:

    # sbctl status
Installed:   ✘ Sbctl is not installed
Setup Mode:  ✘ Enabled
Secure Boot: ✘ Disabled

  10. Create custom secure boot keys:

    # sbctl create-keys
Created Owner UUID a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Creating secure boot keys...✔
Secure boot keys created!

  11. Enroll custom secure boot keys:

    # sbctl enroll-keys
Enrolling keys to EFI variables...✔
Enrolled keys to the EFI variables!

  12. Confirm that setup mode is disabled now. At this point, the device is in secure boot mode (this may only be reflected after a reboot):

    # sbctl status
Installed:   ✔ Sbctl is installed
Owner GUID:  a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Setup Mode:  ✔ Disabled
Secure Boot: ✘ Disabled

  13. Sign your bootloader and kernels with sbctl before rebooting!

  14. Optionally, observe the secure boot state in the firmware menu after rebooting: Secure Boot With Custom Keys Secure Boot Custom Keys

  15. Confirm secure boot state after reboot:

    # sbctl status
Installed:   ✔ Sbctl is installed
Owner GUID:  a9fbbdb7-a05f-48d5-b63a-08c5df45ee70
Setup Mode:  ✔ Disabled
Secure Boot: ✔ Enabled