sbctl
sbctl copied to clipboard
Foxboron
linux refusing the creation of PK on thinkpad T460s
I'm trying to use sbctl on Void linux, but it appears I'm not mounting the efivars correctly.
Could you please point out the correct way to do it, without relying on dbus, udev etc?
$ doas sbctl status
Installed: ✔ Sbctl is installed
Owner GUID: <some stuff>
Setup Mode: ✔ Disabled
Secure Boot: ✘ Disabled
$ doas sbctl enroll-keys
Enrolling keys to EFI variables...✘
couldn't sync keys: couldn't open file: open /sys/firmware/efi/efivars/<some string>: no such file or directory
$ doas mount -t efivarfs efivarfs /sys/firmware/efi/efivars
$ doas sbctl status
Installed: ✔ Sbctl is installed
Owner GUID: <same stuff>
Setup Mode: ✘ Enabled
Secure Boot: ✘ Disabled
$ doas sbctl enroll-keys
Enrolling keys to EFI variables...✘
sbtl requires root to run: couldn't sync keys: couldn't write efi variable: write /sys/firmware/efi/efivars/<some different string>: permission denied
Thanks.
$ doas lsattr /sys/firmware/efi/efivars/<string>
---------------------- /sys/firmware/efi/efivars/<string>
Please post complete errors. I'm unable to figure out anything if you keep censoring values for no good reason.
I don't know how Void mounts efivarfs, so that is something you need to figure out on your own. As for rest of the errors you need to reset the User Mode. And give me the output of:
lsattr /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Let me do it again: this is with efivars mounted via doas mount -t efivarfs efivarfs /sys/firmware/efi/efivars
$ doas sbctl status
Installed: ✔ Sbctl is installed
Owner GUID: 81b996f5-236f-43ab-b5c9-282b933f006c
Setup Mode: ✘ Enabled
Secure Boot: ✘ Disabled
$ doas sbctl enroll-keys
Enrolling keys to EFI variables...✘
sbtl requires root to run: couldn't sync keys: couldn't write efi variable: write /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c: permission denied
$ doas lsattr /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00
e098032b8c /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
---------------------- /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
---------------------- /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
---------------------- /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Output of ls -lah /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f please
ls -lah /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098
032b8c /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
-rw-r--r-- 1 root root 1.4K Oct 18 19:12 /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root 0 Oct 18 19:12 /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root 1.3K Oct 18 19:12 /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
It's refusing to accept the Platform Key so I'm not quite sure what state the secure boot mode should be in for that to be a thing. To me it seems like everything should be working.
In my bios, I have under secure boot:
secure boot: disabled
platform mode: setup mode (cannot change)
secure boot mode: custom (cannot change)
reset to setup mode: enter (did as 2)
restore factory keys: enter
clear all secure boot keys: enter (did as 1)
As for the OS, I don't think it mounts by default efivars, so I used the mount command above.
sbctl is developed on a t480s. It should just work. Everything seems in order so this is weird. Never seen this before frankly.
I see. And you're not questioning the way I mount efivars, right? (if I don't mount them, there's nothing there)
systemd mount efivarfs like this on Arch Linux
λ ~ » mount | grep efivar efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
I don't think anything here matters? It did manage to create KEK and db so PK is linux refusing the creation.
I was reading on reddit that "if it only happens on the last step I’d try using PK.esl instead of PK.auth".
Which format does sbctl use? is it possible to change format?
sbctl uses the signed EFI_SIGNATURE_LISTS, and any well behaving EFI implementation should support both. If you want to use the unsigned list you can try build sbctl yourself and remove the following lines.
https://github.com/Foxboron/sbctl/blob/master/keys.go#L107-L110
And pass sigdb into WriteEFIVariable
Does the program use EFI_VARIABLE_APPEND_WRITE by any chance?
I was reading lenovo does not support it.
Having the same issue on my T460 with Arch (proper). Reset/Cleared keys a hundred times, chattr -i the files, always fails with permission denied
sbctl requires root to run: couldn't sync keys: couldn't write efi variable: write /sys/firmware/efi/efivars/PK-some-blah: permission denied
:(
I've flagged it to the FW team (for my reference LO-1477). For these older platforms it can be really hard to get support for issues like this so no promises that I'll be able to get an answer....but I'll try. Mark
Same problem, but I'm on a dell precision 3510. In the last step, I get the error:
stanley in ~ λ sudo sbctl enroll-keys --microsoft
Enrolling keys to EFI variables...
With vendor keys from Microsoft...✗
sbctl requires root to run: couldn't sync keys: couldn't write efi variable: write /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f: permission denied
Output of lsattr:
stanley in ~ λ lsattr /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
---------------------- /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
---------------------- /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
---------------------- /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Output of ls -lah:
stanley in ~ λ ls -lah /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
-rw-r--r-- 1 root root 3,1K 23. Dez 09:44 /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
-rw-r--r-- 1 root root 1,6K 23. Dez 09:44 /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root 1,4K 23. Dez 09:44 /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
sbctl status output
stanley in ~ λ sbctl status
Installed: ✓ sbctl is installed
Owner GUID: aa439dbd-ede7-466d-99d5-b0ba58c2f2a4
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft
Setup mode is set for "user" and I'm using Endeavour OS, with encryption, if it's relevant.
**bootctl status output**
systemd-boot not installed in ESP.
System:
Firmware: n/a (n/a)
Secure Boot: disabled
Setup Mode: user
TPM2 Support: no
Boot into FW: supported
Current Boot Loader:
Product: n/a
Features: ✗ Boot counting
✗ Menu timeout control
✗ One-shot menu timeout control
✗ Default entry control
✗ One-shot entry control
✗ Support for XBOOTLDR partition
✗ Support for passing random seed to OS
✗ Boot loader sets ESP information
ESP: n/a
File: └─n/a
Random Seed:
Passed to OS: no
System Token: not set
Exists: no
Available Boot Loaders on ESP:
ESP: /boot/efi (/dev/disk/by-partuuid/c0df765e-6457-4d31-b912-5e30bc0551af)
File: └─/EFI/BOOT/bootx64.efi
Boot Loaders Listed in EFI Variables:
Title: EndeavourOS
ID: 0x0003
Status: active, boot-order
Partition: /dev/disk/by-partuuid/c0df765e-6457-4d31-b912-5e30bc0551af
File: └─/EFI/EndeavourOS/grubx64.efi
Title: Artix
ID: 0x0002
Status: active, boot-order
Partition: /dev/disk/by-partuuid/c0df765e-6457-4d31-b912-5e30bc0551af
File: └─/EFI/Artix/grubx64.efi
Title: Windows Boot Manager
ID: 0x0001
Status: active, boot-order
Partition: /dev/disk/by-partuuid/c0df765e-6457-4d31-b912-5e30bc0551af
File: └─/EFI/Microsoft/Boot/bootmgfw.efi
Title: UEFI: INTEL SSDSCKKF512H6 SATA 512GB, Partition 1
ID: 0x0010
Status: active, boot-order
Partition: /dev/disk/by-partuuid/c0df765e-6457-4d31-b912-5e30bc0551af
File: └─EFI/Microsoft/Boot/bootmgfw.efi
Title: Windows Boot Manager
ID: 0x0000
Status: active
Partition: /dev/disk/by-partuuid/c0df765e-6457-4d31-b912-5e30bc0551af
File: └─/EFI/Microsoft/Boot/bootmgfw.efi
Boot Loader Entries:
$BOOT: /boot/efi (/dev/disk/by-partuuid/c0df765e-6457-4d31-b912-5e30bc0551af)
0 entries, no entry could be determined as default.
Did you reset the keys in the BIOS menu? Do the file contain anything before you started running sbctl?
Did you reset the keys in the BIOS menu?
Yes, I checked "Clear" from BIOS for TPM 1.2.
Do the file contain anything before you started running sbctl?
Hummmm 🤔, not sure. How can I be sure of that?
Running sudo sbctl list-files doesn't yield anything.
I don't remember, and I can't try again because "Clear" is now grayed out.
When trying to issue sudo sbctl reset I get the same message: "sbctl requires root to run: couldn't write efi variable"
Sorry for the late response, I'm trying your tool in my work computer. The "architecture guy" requests secure boot enabled, because of General Data Protection Law.
sudo sbctl reset isn't going to do anything when you can't enroll keys.
I'm also not sure why you are in the TPM 1.2 menu for Secure Boot?
@Foxboron @mrhpearson Would it make sense to transfer this issue over to https://github.com/fwupd/firmware-lenovo (or some similar github organization tracking lenovo firmware issues) as it seems really firmware-related? Who has the authority to do so?