alexgg
commented
2 years ago Testing details;
TianoCore used in QEMU is able to program KEK and db, but the PK keys complains. According to posts in https://blog.hansenpartnership.com/category/uefi/uefi-secure-boot/, this will probably be fixed on the TianoCore firmware - maybe the version I am using is outdated.
When testing on real Intel NUC hardware, the keys are correctly programmed when booting in setup mode.
Typically, BIOS will boot in setup mode when all keys are cleared from the store. In this mode, the flasher image will program the keys available under
/mnt/boot/balena-keysso that secure boot is enabled in the next boot.Also, when performing a hostOS update, new keys will be added to the list if they differ from the previously available keys.