Tried adding secure boot keys to my bios, now it's not posting

akhjd · 2024-07-20 17:19:20

I wanted secure boot on my arch install so i signed the keys and then tried appending the bios with the PK, KEK, DB certificates, but when I did that and then booted, it didn't post. I tried clearing the CMOS, tried shorting the reset pins, not sure what else to do.

My motherboard is a Gigabyte DS3H B450M Wi-fi motherboard.

Head_on_a_Stick · 2024-07-20 17:33:05

akhjd wrote:

i signed the keys and then tried appending the bios with the PK, KEK, DB certificates

That's a bit vague, can you remember the actual commands used?

Did you remove the pre-installed keys?

akhjd · 2024-07-20 17:53:20

Yup I do, here they are:

sudo pacman -S shim grub sbsigntools efibootmgr

mkdir -p ~/secureboot/keys

cd ~/secureboot/keys

openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days 3650 -subj "/CN=Platform Key/"

openssl req -new -x509 -newkey rsa:2048 -keyout KEK.key -out KEK.crt -days 3650 -subj "/CN=Key Exchange Key/"

openssl req -new -x509 -newkey rsa:2048 -keyout db.key -out db.crt -days 3650 -subj "/CN=Database Key/"  openssl x509 -outform DER -in PK.crt -out PK.cer

openssl x509 -outform DER -in KEK.crt -out KEK.cer

openssl x509 -outform DER -in db.crt -out db.cer  sudo cp /usr/share/shim-signed/shimx64.efi /boot/efi/EFI/BOOT/BOOTX64.EFI

sudo cp /usr/share/shim-signed/fbx64.efi /boot/efi/EFI/BOOT/fbx64.efi  sudo sbsign --key ~/secureboot/keys/db.key --cert ~/secureboot/keys/db.crt --output /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/grubx64.efi  

sudo grub-mkconfig -o /boot/grub/grub.cfg

sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch --recheck --boot-directory=/boot

sudo cp ~/secureboot/keys/*.cer /boot/efi/ 

Then I enrolled the PK.cer, KEK.cer, and db.cer keys 

Head_on_a_Stick · 2024-07-20 18:13:59

I think the shim looks for grubx64.efi in the current directory ($ESP/EFI/BOOT/) rather than $ESP/EFI/arch/ but the later grub-install command will have created a new boot entry, thus preventing the shim from being loaded.

How did you enrol the keys, exactly?

What actually happens when you start the machine? What do you see on the screen? Can you get to the firmware ("BIOS") options at all?

akhjd · 2024-07-20 18:19:36

To enroll the keys, I went into the bios, then inside the BIOS section, there was the secure boot options, which led me into key management, There were multiple options, like PK, KEK, and authorised signatures, i clicked on each, clicked update for each then went inside my drive and selected PK.cer, KEK.cer, and DB.cer and updated each respectively.

When I click the power button, it is simply a blank screen, there is no POST, no motherboard LEDs, no sound either. I'm not able to get into the BIOS at all.

Head_on_a_Stick · 2024-07-20 18:22:56

If the "update" process replaced the factory keys rather than just adding new ones then you might be shit out of luck. Some laptops have hardware that needs SecureBoot verification to start at all. There is a warning to this effect on the SecureBoot ArchWiki page.

akhjd · 2024-07-20 18:26:15

Ah shit, I think that might be the case as the option shows the number of enrolled keys or something like that, and that number went down, so it has to have replaced them. So is there nothing I can do now? just dump the motherboard and buy a new one? I do have a backup laying around but I'll have to use an old CPU for that t~t

Head_on_a_Stick · 2024-07-20 18:29:08

I do not know of any methods to repair such damage but that doesn't mean they don't exist. Perhaps other forum members will have some suggestions.

akhjd · 2024-07-20 18:35:11

Right, I will look for them then I guess, but this seems like such an uncommon issue that I might be hard out of luck finding anything useful

Welp, I guess I will remember to think twice before messing with the BIOS again t~t

Thanks a lot for your help though, you were super helpful!!

Head_on_a_Stick · 2024-07-20 18:45:44

You're welcome

This doesn't really help you now but the sbctl wiki has some information on how to check for opROMs before replacing keys: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom

So if you decide to try again you can check first.

EDIT: if this is a display problem perhaps try a serial connection while booting? No idea if you can access the firmware options in that case though.

Last edited by Head_on_a_Stick (2024-07-20 18:48:16)

Arch Linux

#1 2024-07-20 17:19:20

Tried adding secure boot keys to my bios, now it's not posting

#2 2024-07-20 17:33:05

Re: Tried adding secure boot keys to my bios, now it's not posting

#3 2024-07-20 17:53:20

Re: Tried adding secure boot keys to my bios, now it's not posting

#4 2024-07-20 18:13:59

Re: Tried adding secure boot keys to my bios, now it's not posting

#5 2024-07-20 18:19:36

Re: Tried adding secure boot keys to my bios, now it's not posting

#6 2024-07-20 18:22:56

Re: Tried adding secure boot keys to my bios, now it's not posting

#7 2024-07-20 18:26:15

Re: Tried adding secure boot keys to my bios, now it's not posting

#8 2024-07-20 18:29:08

Re: Tried adding secure boot keys to my bios, now it's not posting

#9 2024-07-20 18:35:11

Re: Tried adding secure boot keys to my bios, now it's not posting

#10 2024-07-20 18:45:44

Re: Tried adding secure boot keys to my bios, now it's not posting

Board footer