Confirming MS signed bootloaders before setting up SB

LocodraTheCrow · 2026-02-11 14:11:53

I've installed my system on an "LVM on LUKS" configuration and I now wish to apply SB with TPM on it, but I'm insecure about the phrasing of "Replacing the platform keys with your own can end up bricking hardware on some machines"

I followed the steps in here and found a signature on my GPU.

I just want to make sure I won't brick my laptop before I go on and the wiki does not provide a method to check if you do have a microsoft signed bootloader, only if you have an OpRom.

I do not dualboot and there is no windows OS installed in this laptop, so if this implies that there is no bootloader that microsoft could sign and this question is really stupid I apologize, but I just felt too insecure about the phrasing, as stated above.

V1del · 2026-02-11 19:23:53

How UEFIs interpret the presence or absence of things is sadly very dependant on the UEFI implementation (which manufacturer are we talking here?) and there's no general guarantee on how they react to potentially losing the MS keys. If you want to be on the safe side, make sure you keep the ms keys and firmware files, sbctl makes this easy with the -m and -f options respectively.

LocodraTheCrow · 2026-02-12 02:25:25

It's an Asus Rog Zephyrus G14 (2022), AMD GPU and CPU. Would just keeping the ms signed stuff by using sbctl with the argument -m be enough? Is it really that simple?

Everything2067 · 2026-02-14 12:58:33

Even if you clear the existing keys, some BIOSes have an option to restore the MS keys. You can make use of that if you mess up.

Many (including me) do not recommend using secure boot at all. Is there a specific purpose for it?

Last edited by Everything2067 (2026-02-14 12:59:47)

cryptearth · 2026-02-14 14:58:01

Everything2067 wrote:

Many (including me) do not recommend using secure boot at all. Is there a specific purpose for it?

I'm part of this - with my reason: unless one keeps the chain all the way up to the user-level software and its data the entire concept breaks at the very point where the context allows the user to execute arbitrary code with access to arbitrary data
secureboot only makes sense if the chain is kept not just from the firmware to the kernel and initrd but all the way to every user-level code along with all its configs and other assets - so everything can be fully validated from the OEMs platform master key up to each and every program executed in the DE - which basically boils down to locked down kiosk mode systems
for an arbitrary system used by your average joe with root/admin access able to run code at OS level which can modify the firmware - why would it ANY matter if there's a chain for only about half of it if you can alter it afterwards anyway?

unless for very specific use cases secureboot is completely failed by design

Arch Linux

#1 2026-02-11 14:11:53

Confirming MS signed bootloaders before setting up SB

#2 2026-02-11 19:23:53

Re: Confirming MS signed bootloaders before setting up SB

#3 2026-02-12 02:25:25

Re: Confirming MS signed bootloaders before setting up SB

#4 2026-02-14 12:58:33

Re: Confirming MS signed bootloaders before setting up SB

#5 2026-02-14 14:58:01

Re: Confirming MS signed bootloaders before setting up SB

Board footer