Enable Fedora UEFI Secure Boot with Custom Keys and Self-Signed Bootloader, Kernel, and Modules
web.archive.org
Safeguard your pre-boot environment by enabling Fedora UEFI Secure Boot with custom keys and self-signing all of the bootloader, kernel, and module(s)

This is my first time messing with UEFI software keys. I want to sign the nvidia gpu drivers and be able to change them to revert or test the public beta if I choose.

The linked article has a description of the 4 key types and how to view them. Then it instructs to make a backup:

# mkdir /backup && cd /backup
# efi-readvar > efi-original-keys.txt
# efi-readvar -v PK -o PK.original.esl
# efi-readvar -v KEK -o KEK.original.esl
# efi-readvar -v db -o db.original.esl
# efi-readvar -v dbx -o dbx.original.esl

I’m not going to repeat everything here. The device in the article is a KVM that has the PK owner of Red Hat. I’m working with a gigabyte laptop. The example has a bootloader option to specifically “reset secure boot keys.” Is this odd? My option in the bootloader says Delete all secure boot variables" with a description section that says “Delete all secure boot key databases from NVRAM”

Does the rest of this guide look complete? I have a W11 drive I want to keep available. I’m super nervous to mess with something this complicated for the first time when I have not had any experience with this before, and I’m messing with the most expensive hw I’ve ever had.

Thanks in advance if anyone with experience in this can take a look and verify the methodology or can suggest another proven documentation source.

(Archive link to avoid adblock blocker nonsense)

LATE EDIT FOR POTENTIAL USERS FINDING THIS IN SEARCHES: This guide attached to this post is okay, but it neglects a few points. First of all it generates a 4096 bit key and doesn’t really tell you that most UEFI implementations will only accept the default 2048 bit keys that are specified in the standard. The section of the old Sakaki install guide for Gentoo that details how to install secure boot keys is better and has more detail. If your understanding of this subject is not well grounded, this guide may be somewhat overwhelming. At least it was for me when I did my first Gentoo install using this a couple of years ago. (Yeah, I totally forgot about this until yesterday). This guide also describes how to use a tool called Keytool. It is used to boot into the actual UEFI system and make changes directly.

https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot

This guide by the US government on UEFI Secure Boot also covers what to do in Linux and Windows along with a lot more detail about ways to use Secure Boot and bootloader vulnerabilities:

https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF

  • @dackEnglish
    31 year ago

    Be careful with removing the Microsoft keys. You can lock yourself out in some cases. For example, GPU firmware may be signed with the Microsoft keys. This means that your GPU will no longer work and you can’t access the UEFI config to fix it. That’s not too big of a deal in a desktop, since you can usually switch to the integrated GPU to fix things. But on a laptop you might be totally screwed.

    • @j4k3OPEnglish
      11 year ago

      Thanks for the heads up. One of the external ports is dedicated to the Intel integrated GPU.