Seems that on Surface Go UEFI there's no way to delete Secure Boot Keys (only an option to enable or disable secure boot, it's the most feature less UEFI interface on the planet). I read somewhere that clearing TPM should delete secure boot keys, but i tried to do it replacing 1,2,3,4 and 5 steps. The result is that i can continue successfully the next steps on the wiki but at the end of the process System reports that Secure Boot is enabled and Microsoft keys are enrolled, i even can sign the modules:
# sbctl status
Installed: ✓ sbctl is installed
Owner GUID: XXXXXX
Setup Mode: ✗ Enabled
Secure Boot: ✗ Disabled
Vendor Keys: none
# sbctl enroll-keys -m
Enrolling keys to EFI variables...
With vendor keys from microsoft...✓
Enrolled keys to the EFI variables!
# sbctl status
Installed: ✓ sbctl is installed
Owner GUID: XXXXXXX
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft
# sbctl sign -s /boot/vmlinuz-linux (already signed, just to show the process was done).
File has already been signed /boot/vmlinuz-linux
# sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi
File has already been signed /efi/EFI/GRUB/grubx64.efi
# sbctl sign -s /boot/vmlinuz-linux-surface
File has already been signed /boot/vmlinuz-linux-surface
# sbctl verify
Verifying file database and EFI images in /efi...
✓ /boot/vmlinuz-linux is signed
✓ /boot/vmlinuz-linux-surface is signed
✓ /efi/EFI/GRUB/grubx64.efi is signed
Then i reboot the Surface Go and when i check the status again all seems fine:
[root@SurfaceGo-ARCH01 daniel]# sbctl status
Installed: ✓ sbctl is installed
Owner GUID: XXXXXXX
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: microsoft
# mokutil --sb-state
SecureBoot enabled
The thing is that secure boot is not really enabled, when i boot the Surface i see the red lock open and if i enter to the UEFI settings i enable Secure Boot i cannot no longer boot with a "Security Boot Fail". What could be wrong?
I don't think surface has a setup mode unfortunately. If you disable secure boot, it will show up as setup mode in sbctl, but I think it is not actually in setup mode.
H! Good morning.
I'm trying to make Surface Go 2018 to boot with secure boot following the wiki: https://github.com/Foxboron/sbctl/blob/master/docs/workflow-example.md
Seems that on Surface Go UEFI there's no way to delete Secure Boot Keys (only an option to enable or disable secure boot, it's the most feature less UEFI interface on the planet). I read somewhere that clearing TPM should delete secure boot keys, but i tried to do it replacing 1,2,3,4 and 5 steps. The result is that i can continue successfully the next steps on the wiki but at the end of the process System reports that Secure Boot is enabled and Microsoft keys are enrolled, i even can sign the modules:
Then i reboot the Surface Go and when i check the status again all seems fine:
The thing is that secure boot is not really enabled, when i boot the Surface i see the red lock open and if i enter to the UEFI settings i enable Secure Boot i cannot no longer boot with a "Security Boot Fail". What could be wrong?
That's the tree structure from /efi and /boot:
I just followed that procedure with a Desktop with a "normal" Asus UEFI and worked just fine. What could be the issue?
Thanks in advance and have a good week.