Questions tagged [secure-boot]
Questions for UEFI Secure-Boot, Secure-Boot Key Signing and Management
122
questions
1
vote
1
answer
21
views
Shim boot loader: System is compromised when using certificate, but not with hash
I am trying to boot a Linux kernel with efi stub enabled using Red Hat's Shim https://github.com/rhboot/shim.
I can boot the system if I enroll the hash of my efi stub (selecting GRUBX64.EFI), but ...
0
votes
0
answers
8
views
Rebooting directly into MOK
I'd like to enroll a new key in a GCP VM. I'm using the mok --import command, and rebooting form the serial console. The problem is that, when the splash screen appears, the serial console does not ...
1
vote
0
answers
48
views
Kerrnel Locked Down from EFI secure boot, secure boot disabled in bios
I wanted to ask about something happening on my Debian 12 machine.
When I run journalctl as root I get this message: "Kernel is locked down from EFI Secure Boot; see man kernel_lockdown.7"
I ...
1
vote
1
answer
131
views
About Secure Boot, MOK and NVRAM
Good evening, after searching on google I didn't find the answer to my question.
When installing a distribution such as Ubuntu with secure boot activated, the installer creates a MOK key in the NVRAM ...
1
vote
1
answer
47
views
How to compare secure boot keys stored in motherboard’s firmware database with the signed .efi files?
It’s a piece of cake to enable secure boot in a virtual machine, but I’m struggling to do the same with OpenSUSE on my 2012 vintage computer which refuses to boot in secure boot mode even in the ...
0
votes
0
answers
22
views
EDK2: Sign startup.nsh EUFI script
When the BIOS loads the EDK2 UEFI shell it checks it's signature. Then I've configured EDK2 to verify all EUFI modules (i.e. Ext4Pkg), but the startup.nsh script is unsigned.
How can I sign/verify the ...
0
votes
0
answers
43
views
Mass install linux by dd to drive directly?
I need to install an custom OS to many similar/identical laptops. Would it work to live boot a laptop and dd the disk from a template laptop to the new one? Is it possible to trigger secure boot key ...
0
votes
0
answers
52
views
How to disable kernel_lockdown (MSR) without BIOS or console access
I have a laptop with a damaged screen. I use it by connecting a screen via HDMI. I'm running some cryto mining software that requires MSR access to run efficiently.
I cannot access the BIOS to disable ...
0
votes
2
answers
284
views
How and when is `/sys/kernel/security/tpm0/binary_bios_measurements` exposed?
Currently, I try to understand how a measured boot is working and what components log what in which pcr of a tpm2.
I have a test-setup with uefi-secure boot enabled and a tpm2 attached in a kvm ...
0
votes
0
answers
192
views
How to add a key to the secureboot db EFI signature list?
I currently have two machines running Arch Linux with a unified kernel image (UKI), full disk encryption (FDE), and secure boot/TPM2 based unlocking. I would like to create a portable USB stick ...
0
votes
1
answer
286
views
How do I enable UEFI secure boot for a linux build made with yocto?
I'm producing a yocto build, and want to enable UEFI Secure Boot on the intel machine I'm using. This is a pretty basic yocto build, using core-image-minimal and meta-intel. The artifacts it ...
0
votes
1
answer
620
views
MOKutil: Enroll key of already installed driver
I installed the proprietary NVIDIA drivers on my PC using the option my distribution (Zorin OS) gave me upon first installation. Unfortunately, the signature of the driver was not enrolled to MOK, ...
0
votes
0
answers
42
views
Create, update, modify, and delete UEFI authenticated variables from userspace in Linux
I've been searching for, but cannot find any information or utilities for creating, deleting, modifying, and updating arbitrary authenticated variables in Linux from userspace.
Sure, there are tools ...
0
votes
1
answer
414
views
Update NVRAM so that shimx64.efi is run instead of grubx64.efi on Debian system for secure boot
I want to configure my Debian to boot with secure boot enabled but it doesn't and here is why...
OS specific boot loaders are stored on the ESP partition which is mounted in /boot/efi
Debian system ...
0
votes
1
answer
583
views
How do I install Linux when I cannot disable Secure Boot?
I tried install Linux Mint with usb stick done by Ventoy and by (KDE) ISO Image Writer on Fedora. Mint latest version 21.3.Both times I get "Secure Boot Violation. Invalid signature detected. ...