secure-boot icon indicating copy to clipboard operation
secure-boot copied to clipboard

Published 20 hours ago verified publisher icon gdamjan

Enroll keys/certs in UEFI

Open gdamjan opened this issue 7 years ago • 5 comments

efi-updatevar can do it.

Preliminary support in 889cc7a

gdamjan avatar Dec 19 '17 00:12 gdamjan

I personally have used sbsign in the same way this script does without problem on my Thinkpad T440s via efitools KeyTool.efi. Placing my keys in the ESP partition and enrolling them through the bios.

What kind of testing by users would you like from users?

HermannBjorgvin avatar Jan 02 '18 04:01 HermannBjorgvin

Yes, I used KeyTool.efi too, it's a bit cumbersome. By using efi-updatevar (see the commit referenced above) it can be done from Linux, but I wonder if that's supported on all computers. It did work in qemu with ovmf

gdamjan avatar Jan 02 '18 09:01 gdamjan

An ideal way would be to detect support for this. But I don't know enough about how efibootmgr or how UEFI is implemented. I've probably repaired around 500-1000 UEFI laptops though and the way manufacturers implement their BIOS is usually pretty uniform but with occasional BIOS'es that are almost hilariously crippled. Hope that helps.

HermannBjorgvin avatar Jan 03 '18 03:01 HermannBjorgvin

The blog reads like that efi-updatevars should be supported on anything with kernel >=3.8

a1lu avatar Dec 17 '20 20:12 a1lu

The blog reads like that efi-updatevars should be supported on anything with kernel >=3.8

didn't work for me, last time I've tried it :(, and it was not a kernel limitation.

gdamjan avatar Dec 18 '20 04:12 gdamjan