Secure Boot

JaydenDev · 2023-07-28 18:07:53

Originally, it seemed simple enough. Just run

sbctl create-keys

and

sbctl enroll-keys

. However, when running that second command I get:

Could not find any TPM Eventlog in the system. This means we do not know if there is any OptionROM present on the system.

There are three flags that can be used:
    --microsoft: Enroll the Microsoft OEM certificates into the signature database.
    --tpm-eventlog: Enroll OpRom checksums into the signature database (experimental!).
    --yes-this-might-brick-my-machine: Ignore this warning and continue regardless.

Please read the FAQ for more information: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom

Yes, I read the FAQ link that it listed. HOWEVER, My system does not have (or at least as far as I know) a TPM module.

The path mentioned in the FAQ linked does not exist.

My motherboard is a ASUSTeK COMPUTER INC. P8B75-M

Last edited by JaydenDev (2023-07-28 19:46:36)

3beb6e7c46a615a · 2023-07-28 19:48:24

In doubt, run "sbctl enroll-keys --microsoft", to avoid bricking your system.

If you know your system doesn't have any option ROMs you can also use yes-this-might-brick-my-machine, but the flag's name is meant, you've been warned.

JaydenDev · 2023-07-28 19:56:41

lunaryorn wrote:

In doubt, run "sbctl enroll-keys --microsoft", to avoid bricking your system.
If you know your system doesn't have any option ROMs you can also use yes-this-might-brick-my-machine, but the flag's name is meant, you've been warned.

I both do not know what an option ROM is and do not know if my system has one.

JaydenDev · 2023-07-28 20:01:56

The BIOS seemed to have a Windows UEFI option in the secure boot area however after running "sbctl enroll-keys --microsoft" and using the microsoft option in the BIOS it was impossible to boot into my Arch installation. Only after setting it to "Other OS" did id boot but sbctl says that secure boot is disabled.

loqs · 2023-07-28 20:04:15

JaydenDev wrote:

I both do not know what an option ROM

https://en.wikipedia.org/wiki/Option_ROM

JaydenDev · 2023-07-28 20:09:06

loqs wrote:

JaydenDev wrote:
I both do not know what an option ROM
https://en.wikipedia.org/wiki/Option_ROM

I remember seeing an option having something to do with some kind of ROM in the BIOS settings. Might be related?

Perniciosius · 2023-07-28 20:41:37

Have you tried using shim for secure boot instead?

3beb6e7c46a615a · 2023-07-28 21:08:57

I don't think it's related; in any case you don't need to reach for firmware settings here. You can enroll keys with sbctl alone.

Please show the output of "sbctl status" to ensure that the firmware is in setup mode for secure boot. If it is, run "sbctl enroll-keys --microsoft" to enroll secure boot including the Microsoft key. This sets up secure boot and adds the Microsoft certificate to the database. Without knowing your hardware and without a TPM to measure and log the firmware boot process that's the only safe way to enable secure boot on your system.

If you'd not like to trust Microsoft's keys you can alternatively use "sbctl enroll-keys --yes-this-might-brick-my-machine" to enroll only your own keys, but this might indeed brick your system, especially if you don't have an iGPU. Use at your own risk.

JaydenDev · 2023-07-28 21:25:15

After enrolling the keys Arch no longer boots. I have to clear the keys before I am able to boot into Arch.

3beb6e7c46a615a · 2023-07-29 05:15:03

Did you sign your kernel? What is the output if sbctl verify?

JaydenDev · 2023-07-29 17:32:04

lunaryorn wrote:

Did you sign your kernel? What is the output if sbctl verify?

sudo sbctl verify

[sudo] password for user: 
Verifying file database and EFI images in /efi...
failed to verify file /efi/grub/x86_64-efi/core.efi: no pem block
failed to verify file /efi/grub/x86_64-efi/grub.efi: no pem block
failed to verify file /efi/vmlinuz-linux: no pem block

Note: I cut out the output related to the Windows installation on a different drive.

3beb6e7c46a615a · 2023-07-29 17:41:19

So you did not sign kernel or boot loader? Did you ever run "sbctl sign" or "sbctl bundle" at any point?

JaydenDev · 2023-07-29 17:43:17

lunaryorn wrote:

So you did not sign kernel or boot loader? Did you ever run "sbctl sign" or "sbctl bundle" at any point?

do I sign all the files that were in the output of sudo sbctl verify?

3beb6e7c46a615a · 2023-07-29 17:51:42

You need to sign those files you'd like to boot, that is, your bootloader and your kernel. But first of all, you really do need to understand secure boot.

I mean no offence, but it just looks as if you have absolutely no clue what you're actually doing. If you never signed any files on /efi, it's absolutely expected that the system doesn't boot anymore after enrolling custom keys. So if this came as a surprise to you, you really need to work on the basics.

JaydenDev · 2023-07-29 18:01:03

lunaryorn wrote:

You need to sign those files you'd like to boot, that is, your bootloader and your kernel. But first of all, you really do need to understand secure boot.
I mean no offence, but it just looks as if you have absolutely no clue what you're actually doing. If you never signed any files on /efi, it's absolutely expected that the system doesn't boot anymore after enrolling custom keys. So if this came as a surprise to you, you really need to work on the basics.

Attempting to sign the keys like the arch wiki page says It's saying "no pem block".

loqs · 2023-07-29 18:02:51

JaydenDev wrote:

Attempting to sign the keys like the arch wiki page says It's saying "no pem block".

Please provide the command used and its output https://bbs.archlinux.org/viewtopic.php?id=57855

JaydenDev · 2023-07-29 18:05:11

loqs wrote:

JaydenDev wrote:
Attempting to sign the keys like the arch wiki page says It's saying "no pem block".
Please provide the command used and its output https://bbs.archlinux.org/viewtopic.php?id=57855

$ sudo sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	00e4b724-0ae2-4b2e-8ae1-1eb732976e73
Setup Mode:	✗ Enabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft

$ sudo sbctl sign -s /boot/vmlinuz-linux
no pem  block

3beb6e7c46a615a · 2023-07-29 18:13:05

Looks as if the keys are corrupted…

What's the output of "sudo find /usr/share/secureboot/keys/" and "sudo file /usr/share/secureboot/keys/**/*"? Since you're still in setup mode and haven't signed anything yet, perhaps try to generate a fresh set of keys? "sudo rm -rf /usr/share/secureboot/" and then "sbctl create-keys" again?

JaydenDev · 2023-07-29 19:02:34

lunaryorn wrote:

Looks as if the keys are corrupted…
What's the output of "sudo find /usr/share/secureboot/keys/" and "sudo file /usr/share/secureboot/keys/**/*"? Since you're still in setup mode and haven't signed anything yet, perhaps try to generate a fresh set of keys? "sudo rm -rf /usr/share/secureboot/" and then "sbctl create-keys" again?

They were. So I deleted the secureboot directory, ran through all the steps again. Signed all the files. Verified that they were signed. Yep, they are signed. Yet it's still refusing to boot. The BIOS must not be accepting them or something. However, after running all these commands the BIOS says that keys are in fact loaded.

3beb6e7c46a615a · 2023-07-29 19:27:58

JaydenDev wrote:

lunaryorn wrote:
Looks as if the keys are corrupted…
What's the output of "sudo find /usr/share/secureboot/keys/" and "sudo file /usr/share/secureboot/keys/**/*"? Since you're still in setup mode and haven't signed anything yet, perhaps try to generate a fresh set of keys? "sudo rm -rf /usr/share/secureboot/" and then "sbctl create-keys" again?
They were.

I think you should figure out why; files don't get corrupted out of the blue, so if you have corrupted secure boot keys all of a sudden, you may have a more serious problem.

So I deleted the secureboot directory, ran through all the steps again. Signed all the files. Verified that they were signed. Yep, they are signed.

Again, please don't paraphrase. Show the exact commands you ran, and their full and complete output.

Let's see where we are now: What's the output of "sudo sbctl verify" now, after signing things with the new keys? Did you enroll those new keys? What's the output of "sbctl status"?

Yet it's still refusing to boot.

What is the actual error message you see? Take a picture and upload it somewhere.

However, after running all these commands the BIOS says that keys are in fact loaded.

What does the BIOS say exactly, and where does it say so? Again, please make a picture and upload it.

Last edited by 3beb6e7c46a615a (2023-07-29 19:28:18)

Arch Linux

#1 2023-07-28 18:07:53

Secure Boot

#2 2023-07-28 19:48:24

Re: Secure Boot

#3 2023-07-28 19:56:41

Re: Secure Boot

#4 2023-07-28 20:01:56

Re: Secure Boot

#5 2023-07-28 20:04:15

Re: Secure Boot

#6 2023-07-28 20:09:06

Re: Secure Boot

#7 2023-07-28 20:41:37

Re: Secure Boot

#8 2023-07-28 21:08:57

Re: Secure Boot

#9 2023-07-28 21:25:15

Re: Secure Boot

#10 2023-07-29 05:15:03

Re: Secure Boot

#11 2023-07-29 17:32:04

Re: Secure Boot

#12 2023-07-29 17:41:19

Re: Secure Boot

#13 2023-07-29 17:43:17

Re: Secure Boot

#14 2023-07-29 17:51:42

Re: Secure Boot

#15 2023-07-29 18:01:03

Re: Secure Boot

#16 2023-07-29 18:02:51

Re: Secure Boot

#17 2023-07-29 18:05:11

Re: Secure Boot

#18 2023-07-29 18:13:05

Re: Secure Boot

#19 2023-07-29 19:02:34

Re: Secure Boot

#20 2023-07-29 19:27:58

Re: Secure Boot

Board footer