sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

Write a sentence in FAQ about Secure Boot requirement probability to read TPM Event log and determine OpROM presence.

Open HeroBrine1st opened this issue 2 years ago • 2 comments

TL;DR Skip to the text right above the quote.

I spent a week with my tired brain trying to figure out if there is any OpROM in my laptop. Found this great page but not the file, and then I found noname forum where one person said TPM by design may have no log hence no binary_bios_measurements file. And then I asked in local forum's thread for my model about enabling SB without Microsoft keys, but of course everyone use Windows 10/11 (despite my laptop has Ubuntu right from the store) so no answer.

And after another week, while I was having 5+ pages in backstack (I mean, the first page lead me to the next and so on five or more times), I found this reddit comment, which said to first enable Secure Boot in User Mode and only then to search OpROMs. And it worked. And there is no option ROMs on my laptop (lucky me I should say, but seems like I knew linux-first support is more than drivers). Now I have secure boot enabled with microsoft keys, but in a week I'll be brave again and revoke them as they have no meaning in my system.

So that, I propose adding this/similar text after "(Example with Option ROM present)" in FAQ:

If you don't have that file, try temporarily enabling Secure Boot with Microsoft keys and looking there again. And ensure your TPM is 2.0.

It will help many others. And sorry for my english, not a native speaker.

P.s. quickly searched by "faq" and "wiki", found no duplicates.

HeroBrine1st avatar Apr 06 '23 21:04 HeroBrine1st

I'm trying to figure out whether my Lenovo Thinkpad T480s has Option ROM. I use the following command:

sudo tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements |
  grep "BOOT_SERVICES_DRIVER"

When I boot w/SecureBoot in Setup Mode, I have 6 entries, yet I have 0 when I boot with SecureBoot enabled (not with sbctl, though: I used shim+MOK+systemd-boot+UKI).

Although it's only losely related to your suggestion, this looks related and weird to me. I still can't figure our if it's safe to get rid of Microsoft keys, or if must add them to avoid bricking my device.

I'd appreciate guidelines in the FAQ. Thoughts?

aurelg avatar Dec 02 '24 16:12 aurelg

Fwiw, sbctl was originally developed ln a T480s, you should be fine.

When it comes to entries in the log I'm not sure why they disappear.

Foxboron avatar Dec 02 '24 16:12 Foxboron