Hardware-and-Firmware-Security-Guidance icon indicating copy to clipboard operation
Hardware-and-Firmware-Security-Guidance copied to clipboard

Published 20 hours ago verified publisher icon nsacyber

Microsoft Surface devices _do_ support Secure Boot customization

Open out0xb2 opened this issue 4 years ago • 1 comments

Please remove documentation that incorrectly states that Microsoft Surface does not support UEFI Secure Boot customization. That was true for Surface RT & RT 2, but none of the modern PC class products - they all support programmatic customization after deleting the keys from the BIOS menu.

To customize Surface UEFI Secure Boot:

  1. Boot to Surface BIOS menu
  2. Find the BIOS Security page
  3. Click Secure Boot "Change Configuration"
  4. Select Secure Boot configuration "None"
  5. Exit, Save, reboot

All secure boot keys are now deleted. Boot to a UEFI Shell or the OS of your choice to install your preferred keys. Use SetVariable(), and set PK last. Reboot and enjoy!

I tested this last week using https://github.com/microsoft/mu_tiano_platforms/tree/release/202008/Platforms/OvmfPkg/EnrollDefaultKeys (but with my custom keys)

out0xb2 avatar Feb 08 '21 14:02 out0xb2

@iadgovuser1 , perhaps you can ask 43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973 if they would prefer a PR?

Also advise that some work here is duplicating effort, see here: https://github.com/tianocore/edk2-pytool-library/blob/master/edk2toollib/uefi/authenticated_variables_structure_support_test.py

out0xb2 avatar Feb 08 '21 17:02 out0xb2