2

I successfully installed Debian Stretch on my ASUS G750JZ laptop with Secure Boot turned off. Now I'm interested in enabling it, so I created my own PK, KEK and db keys and uploaded them into my BIOS. Now I have my own PK key and my own KEK and db keys as well as Microsoft and ASUS ones to dual boot Windows 10.

The problem is that when I'm trying to load any bootloader (GRUB, rEFIND, HashTool) signed by my db key, it doesn't boot and a message "Invalid signature detected" is displayed instead. However sbverify of course claims that these bootloaders are signed correctly, efi-readvar also finds my own keys, Windows still boot successfully even on my own PK key.

I had read many tutorials about setting Secure Boot custom keys, mostly from Gentoo and Arch but it seems to be distro-independent. Do someone else also have such a problem? Could it be a bug in my BIOS?

Improve this question
3
  • 1
    What exactly leads you to conclude that the "BIOS doesn't recognize any bootloaded signed by my db key"? Specifics, specifics, specifics! Details matter! You can edit your question.
    – user
    Commented Feb 23, 2017 at 12:17
  • A standard message about invalid signature is displayed, despite my keys are stored in BIOS and they are recognized by efi-readvar
    – radson
    Commented Feb 23, 2017 at 13:55
  • I have seen at least one system (an HP EliteDesk) that doesn't work with custom keys, although it seems to accept them. (Note that I've installed custom keys on several systems, so I know what I'm doing.) I finally gave up on Secure Boot with that system. You might look for a firmware update, in case you're seeing a similar bug that ASUS has fixed. It's also possible you've made some subtle mistake, like adding a .crt file rather than a .cer/.der file. (My ASUS motherboard will accept anything, but only the right file type actually works.)
    – Rod Smith
    Commented Mar 7, 2017 at 16:05

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .