Arch Linux

leanhtai01

Member

Registered: 2017-04-23

Posts: 19

[PreLoader] How do I delete the hash of EFI binaries already enrolled?

I'm setup Secure Boot using PreLoader.
I know each time i update any of the binaries (e.g. boot loader or kernel) i will need to enroll their new hash and every new registration chews up a little space in your NVRAM.
My question is: How do I delete the hash of the old EFI binaries (or even the hash of my current EFI binaries)?

Last edited by leanhtai01 (2020-05-29 14:02:37)

naguz

Member

Registered: 2008-11-05

Posts: 98

Re: [PreLoader] How do I delete the hash of EFI binaries already enrolled?

Did you ever figure this out? I have a hard time figuring this out my self. After trying to get shim to work (it would never boot grub no matter what) I switched to PreLoader. It worked. and booted right up WITHOUT me needing to add anything in HashTool. I*m guessing MokTool from shom managed to add it. I have since added an .efi file with HashTool in preloader. I can not find anything that shows the added hashes. Not mokutil, not efi.-vars, not anything. I can't seem to find any information online either. It's very strange. And for once the wiki has failed me miserably.

loqs

Member

Registered: 2014-03-06

Posts: 17,315

Re: [PreLoader] How do I delete the hash of EFI binaries already enrolled?

naguz have you tried using `mokutil --delete-hash` to create a deletion request then reboot and from firmware use MOK manager to process the request?

naguz

Member

Registered: 2008-11-05

Posts: 98

Re: [PreLoader] How do I delete the hash of EFI binaries already enrolled?

Yes, I tried mokutil without luck. Mokutil and MOK manager has not been working on my surface pro 3 for some reason. Nothing I did in mokutil would get picked up by mok manager/shim. Binaries whose hashes I added by mok manager did not get accepted/booted by shim either, so something there wasn't quite right. Also, mokutil would not show any added hashes.

KeyTool from efitools luckilly did the trick. It was able to clean upp the hashes (albeit one at a time). There were quite a few entries, seemed like mok manager had added duplicates.

Last edited by naguz (2020-12-17 17:21:05)

Sffred

Member

Registered: 2020-08-30

Posts: 50

Re: [PreLoader] How do I delete the hash of EFI binaries already enrolled?

@naguz can you show me how to use the KeyTool to list and delete the hashes? I am also struggling with this task right now.
-------
I have figured it out. One needs to copy the KeyTool.efi to ESP and run it from Preloader.

Last edited by Sffred (2022-06-29 09:38:28)

2ManyDogs

Forum Fellow

Registered: 2012-01-15

Posts: 4,645

Re: [PreLoader] How do I delete the hash of EFI binaries already enrolled?

Closing this old topic.