0

When secure boot is disabled, is it possible to delete the PK key from terminal? I know that to change the keys, you need to enter setup mode. And to enter setup mode, you need to delete the PK key. Now, is it possible to delete the PK key not through BIOS, but through terminal of your OS? Keep in mind that secure boot is disabled.

The reason I'm asking this is because I want to have 2 OS's installed. First is Linux that will be signed with my own keys, and then Windows. In BIOS I will have only my custom keys, so no Microsoft keys. When booting Linux, I will have secure boot turned on, when booting Windows, I will have secure boot turned off (because I won't have Microsoft keys enrolled, only my custom keys).

Linux is an important OS for me, that's why I'll boot it with secure boot turned on; but Windows I won't use for anything important, so it's fine to boot it without secure boot.

However, let's say a malicious app got installed on my Windows OS. If I boot Windows with secure boot turned off, will this malicious app be able to change my secure boot keys? That's what I'm trying to understand.

Improve this question
7
  • You shouldn't have to load your own keys to boot into Linux with Secure Boot enabled. It's unclear the reason you plan on doing that, well you state your reason, but it's unncessary to do so.
    – Ramhound
    Commented Feb 29 at 12:12
  • I specifically want to have my own keys in secure boot for linux, and my kernel signed with my keys. This is needed for security. I get that it's optional, but I want to do it.
    – astroboy
    Commented Feb 29 at 12:59
  • 1
    So you are choosing to allow the more vulnerable system to boot without secure boot in interest of more security? Your worry about a malicious application is justified. The state of your system cannot be insured if Secure Boot is diabled at any point.
    – Ramhound
    Commented Feb 29 at 16:20
  • Not exactly, the question is: what would such a malicious app be able to do? I don't care about Windows, it doesn't have important data on it. Linux will have all data encrypted. What will the app be able to do? Will it be able to change the secure boot keys? If not, what trouble would it give me? You're saying it's not secure, why exactly? Can you give an example?
    – astroboy
    Commented Feb 29 at 20:08
  • I'm really not sure whether the whole plan makes sense. On the one hand, what risks do you imagine in keeping the MS keys enrolled? And on the other hand, what risks do you expect Secure Boot to protect your Linux system against? It feels like you're expecting it to act as a universal exploit shield or something along those lines, when it really isn't...
    – grawity_u1686
    Commented Mar 4 at 15:06

1 Answer 1

Reset to default
0

When Secure Boot is enabled, the secure boot keys are used to verify all binary objects before they are executed (till the OS boots, after which security is the OS's responsibility). This includes BIOS updates which are always signed using the main-board manufacturer's key (stored in the Secure Boot's Platform Key or PK) or the Microsoft UEFI CA 2011 key (stored in the Key Exchange Keys or KEK, usualy along with the the same key as stored in the PK, plus a couple of others depending on the manufacturer).

Thus, random updates to the bios cannot happen when secure boot is enabled.

When the PK is removed/deleted, secure boot enters setup mode (as opposed to user mode, where Secure Boot is enabled and enforcing checks), until a platform key is added. Setup mode allows modification of the secure boot configuration without the previous restrictions and checks.

Section 1.3.2 of the MS Doc titled Windows Secure Boot Key Creation and Management Guidance gives a lot more details of how the keys interact with each other, and with booting overall.

Improve this answer
1
  • Thank you. But is it possible to delete the PK key only from bios, or also from OS with terminal, for example?
    – astroboy
    Commented Mar 8 at 19:48

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .