Closed developer91234 closed 4 months ago
maximbaz
commented
4 months ago I don't know how it would be possible to reuse the keys since we don't have access to private keys to sign our efi binaries, but in general the signing command happens in this line:
Don't run generate-keys and enroll-keys and update the line above to sign the efi files in a different way, and that should be it?
developer91234
commented
4 months ago sbctl enroll-keys -m should preserve the ms keys. I don't think any update to the code is necessary beyond that.
maximbaz
commented
4 months ago Okay! I don't think I'll add it directly to the script, since this tool provides a very opinionated setup, but since enroll is a one-time operation I'm happy to include it in README to guide people who want this.
Do I understand correctly that you still need to run arch-secure-boot generate-keys, but instead of arch-secure-boot enroll-keys you use sbctl enroll-keys -m, and that is it?
developer91234
commented
4 months ago I believe so, haven't tested. There are some more "comprehensive" solutions that require typing 50 lines of gibberish which I don't even want to think about.
maximbaz
commented
4 months ago Cool, done in https://github.com/maximbaz/arch-secure-boot/commit/5ecb112fb676e29e16ee830ec525f8d00295b142, thanks!
developer91234
commented
4 months ago I meant replace sbkeysync --verbose with sbctl enroll-keys -m.
maximbaz
commented
4 months ago I think let's wait with refining the docs until someone actually tries this, according to sbctl manual, enroll-keys might do more, e.g. to replace EFI variables too (part of what arch-secure-boot enroll-keys does).
I know it's not the most secure approach but given the big fat warning here it might be necessary under some circumstances and desirable under others (like if you don't want to disable secure boot every time you want to load up windows).