Enroll keys/certs in UEFI

gdamjan / secure-boot

UEFI SecureBoot for ArchLinux

59 stars 3 forks source link

Enroll keys/certs in UEFI #6

Open gdamjan opened 6 years ago

gdamjan commented 6 years ago

efi-updatevar can do it.

Preliminary support in 889cc7a

HermannBjorgvin commented 6 years ago

I personally have used sbsign in the same way this script does without problem on my Thinkpad T440s via efitools KeyTool.efi. Placing my keys in the ESP partition and enrolling them through the bios.

What kind of testing by users would you like from users?

gdamjan commented 6 years ago

Yes, I used KeyTool.efi too, it's a bit cumbersome. By using efi-updatevar (see the commit referenced above) it can be done from Linux, but I wonder if that's supported on all computers. It did work in qemu with ovmf

HermannBjorgvin commented 6 years ago

An ideal way would be to detect support for this. But I don't know enough about how efibootmgr or how UEFI is implemented. I've probably repaired around 500-1000 UEFI laptops though and the way manufacturers implement their BIOS is usually pretty uniform but with occasional BIOS'es that are almost hilariously crippled. Hope that helps.

a1lu commented 3 years ago

The blog reads like that efi-updatevars should be supported on anything with kernel >=3.8

gdamjan commented 3 years ago

The blog reads like that efi-updatevars should be supported on anything with kernel >=3.8

didn't work for me, last time I've tried it :(, and it was not a kernel limitation.