My laptop won't reboot after enrolling the keys

Foxboron / sbctl

:computer: :lock: :key: Secure Boot key manager

MIT License

1.35k stars 71 forks source link

My laptop won't reboot after enrolling the keys #229

Open alogim opened 12 months ago

alogim commented 12 months ago

I followed the guide here:

sbctl status
sbctl create-keys
sbctl enroll-keys
sbctl status
Installed:  ✔ Sbctl is installed
Owner GUID: <my-guid>
Setup Mode: ✔ Disabled
Secure Boot:    ✘ Disabled

And then I rebooted as it was written, but now my laptop doesn't properly turn on. The Caps Lock keeps going on and off intermittently and the screen is not powered on at all. I can't access the BIOS/UEFI or anything else.

Not sure what's going on.

conrad-heimbold commented 12 months ago

I guess it's because the Microsoft Third Party UEFI CA certificate is missing?

The Arch Wiki warns about that: Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate.

The How-To in the README.md is bad in this regard.

The command should have been

sbctl enroll-keys --microsoft

... instead of just:

sbctl enroll-keys

Your laptop probably had some OpROMs that were signed like this...

I don't know how to fix this, but I guess you can find some more help with this information.

conrad-heimbold commented 12 months ago

The Arch Wiki also says this: Screenshot from 2023-07-07 21-10-52

NekkoDroid commented 11 months ago

To give some possible ways to fix this:

Try clearing the CMOS of your MoBo
If you have access to your BIOS/UEFI there might be an option to reset keys to factory default

To give some suggestions to the project (maybe):

I feel like the -m/--microsoft should be the default (omitable) since it easily can cause problems when you don't provide it
for those that would still want to not include MS keys there could be --no-ms-keys

starchturrets commented 11 months ago

If you don't want to include MS keys and have OPROMs then --tpm-eventlog should be used I think.

IPlayZed commented 2 weeks ago

TPM event log is just as safe and if sbctl does not allow enrolling your own keys as OPROMs are detected, just use that.

In my understanding @alogim had to explicitly use the yolo option to enroll the custom keys anyway.

To give some suggestions to the project (maybe):

I feel like the -m/--microsoft should be the default (omitable) since it easily can cause > problems when you don't provide it for those that would still want to not include MS keys there could be --no-ms-keys

As the above commenter mentioned, you could use the tpm eventlog if you do not want to enroll Microsoft or OEM keys. You can also enroll your OEM keys and append it via yours using the append option.