-2

I have to disable Secure Boot. To do this, I have to delete the PK keys. Will this affect the loading of my operating system? I am using a "one-time" SSD that is currently connected. But I also have a disk with Ubuntu, which is not connected. The main thing for me is that when deleting PK keys, Linux does not break. Also, will it be possible to return the keys to their previous state if there is a problem?

ASUS motherboard, 2 Windows SSD connected (1 - boot manager with os, 2 - os, which is connected to 1 ssd)

Improve this question
5
  • 1
    I have to disable Secure Boot No, you don't have to, you may want to for reasons but under no scenario you have to; To do this, I have to delete the PK keys Again, no, absolutely NOT; Your question, in a nutshell, suggests you don't know what you're doing or why. Perhaps better to ask about what problem are you trying to solve?...
    – ChanganAuto
    Commented Dec 29, 2023 at 12:09
  • Yes, I have reason to turn it off. And to do that via ASUS UEFI, I have to delete PK, or what? I just need to understand consequences of this action.
    – euclidy
    Commented Dec 29, 2023 at 12:41
  • 2
    No, you don't (unless you're planning to install an obsolete OS that doesn't support UEFI, in which case you shouldn't, obviously). Such comment nowadays sounds utterly ridiculous. This is a X-Y problem, as already mentioned. And no, to disable Secure Boot you just... disable Secure Boot! No need to to deleted keys and if you do the most likely scenario is not being able to boot anything. Now please either edit this question so it makes sense or just delete it and ask about the problem you're trying to solve, NOT about what you think is the solution and that clearly and unequivocally ISN'T.
    – ChanganAuto
    Commented Dec 29, 2023 at 12:59
  • 1
    For what reason does secure boot need to be disabled? It's there to ensure the bootloader of an OS can't be infected with malware, such as a rootkit, and if there is an OS that doesn't have its signing cert within the UEFI firmware, it can be manually added through the UEFI firmware's boot page or the EFI shell IIRC
    – JW0914
    Commented Dec 30, 2023 at 12:41
  • 1
    I just messed up one thing. I did all without deleting PK keys. Thanks for your help.
    – euclidy
    Commented Jan 1 at 0:23

2 Answers 2

Reset to default
1

By itself PK does not influence what you can boot – that's done by the db keys.

The purpose of PK, Platform Key, is just to control who/what can make updates to the other Secure Boot Keys. If PK is present, only PK-signed updates can be made to the KEK list and only KEK-signed updates can be made to the db list. (This doesn't apply to what you can do through the firmware setup screen, it's just about what can be done from the OS.)

Deleting PK doesn't really turn off Secure Boot, but switches it to "setup mode" where the update signature checks are disabled and a running OS can make KEK/db updates freely, e.g. authorize any db key it wants. However, the boot-time signature checks are still active.

So I don't think this is the option you're looking for. There should be a different option to actually turn off Secure Boot.

Another thing to note is that of you have BitLocker enabled, then any change to Secure Boot configuration (on/off, PK, KEK...) will require your BitLocker Recovery Key after reboot, so make sure you have that.

But other than that, there are no serious negative consequences to deleting PK, and per specification you should always have the option to restore it to the built-in default, returning to "user mode"... or generating your own PK, which will have the exact same effect. (PK is only the public key – the corresponding private key is held by the manufacturer – so it's not the same kind of thing as clearing TPM.)

Improve this answer
0

First, I suggest you back up your data from the Windows drive. The keys at a minimum.

If BitLocker or any other drive-encryption is enabled, you should back up ALL your data to an other, non-encrpted drive, in case your current windows installation refuses to boot up ever again. Or disable drive-encryption temporarily. (Unless Windows refuses to disable the encryption, which isn't that rare)

If your second drive only contains the mentioned linux installation, then that doesn't need to be backuped separately, since that should work independently of your Windows install.

In theory you should not delete any keys in order to disable secure boot. If you still try to delete them, I would suggest to keep a Windows installation pendrive at hand too, in case you need to copy the keys back or to repair the Windows installation. If you can reliably modify the Windows partition from your Ubuntu install, then the Windows install pendrive isn't necessary.

But before deleting anything, you must disable the Secure Boot in the UEFI first!

About the consequences of disabling: on boot your computer won't check whether your basic system components have been modified or not.

This is considered bad for security, since Secure Boot can protect you from some viruses or someone physically accessing your PC to decrypt your encrypted drive. PS.: This is why people will try to convince you not to disable it, like it was something ultra-dangerous operation, potentially frying your motherboard, blowing up the battery and burning down half the city.

Improve this answer

Not the answer you're looking for? Browse other questions tagged .