You are not logged in.

#1 2024-09-12 06:45:25

trofo
Member
Registered: 2024-09-01
Posts: 8

Help with secure boot

As indicated at https://github.com/Foxboron/sbctl/wiki/FQ0001 in BIOS I have "Secure boot" set to "Enabled", "Secure Boot Mode" set to "Custom" and "Secure Boot Preset" set to "Maximum Security". Yet:

sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	d84a1399-d218-4881-ba20-bc21c2754f78
Setup Mode:	✗ Enabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft builtin-db builtin-KEK
Firmware:	‼ Your firmware has known quirks
		- FQ0001: Defaults to executing on Secure Boot policy violation (CRITICAL)
		  https://github.com/Foxboron/sbctl/wiki/FQ0001
sudo sbctl verify
Verifying file database and EFI images in /boot/efi...
✓ /boot/efi/EFI/arch/grubx64.efi.signed is signed
✓ /boot/vmlinuz-linux-lts is signed
✓ /boot/vmlinuz-linux-zen is signed
✓ /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed is signed
✓ /boot/efi/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/efi/EFI/arch/grubx64.efi is signed
✓ /boot/efi/EFI/systemd/systemd-bootx64.efi is signed

The only message I see in dmesg seem unrelated to me:

sudo dmesg | grep secure
[    5.660587] amdgpu 0000:2d:00.0: amdgpu: SECUREDISPLAY: securedisplay ta ucode is not available

Offline

#2 2024-09-12 07:48:23

trofo
Member
Registered: 2024-09-01
Posts: 8

Re: Help with secure boot

Just realized after posting the initial message that "Setup Mode:    ✗ Enabled", so if I try to take it out of setup mode by stiing "Provision Factory Default keys" to "disabled" then in grub I get "error: prohibited by secure boot policy.".

I guess it's either the fonts that I need to sign or some modules (and don't know which ones).

Offline

#3 2024-09-12 08:05:22

cryptearth
Member
Registered: 2024-02-03
Posts: 875

Re: Help with secure boot

just disable it
SecureBoot is flawed by design: The only case SecureBoot would do anything is if you lock down the system to only execute singed code.
But as it only protects the boot and as soon as you login you can execute any unsigned code anyway the chain of trust is broken.
Turned the question upside-down: What do you think SecureBoot protects you against when you can still run any unsigned code in userland anyway which could use unknown vulnerabilities to gain elevated privileges (or the user be dumb enough to execute such code via sudo) which then harms you anyway?
Or: Why do you only sign the bootloader, the kernel and the initramdisk but then nothin else like any binary or library which they depend on? Why do you trust some random code cloned from some github repo but not your kernel?

SecureBoot is just M$ marketing bullshit - and unless you have a threat vector it can protect against just disable and ignore it and save yourself all that trouble.

Offline

#4 2024-09-12 10:31:32

Head_on_a_Stick
Member
From: Belsize Park
Registered: 2014-02-20
Posts: 8,248
Website

Re: Help with secure boot

trofo wrote:

if I try to take it out of setup mode by stiing "Provision Factory Default keys" to "disabled" then in grub I get "error: prohibited by secure boot policy."

That happens when GRUB tries to sideload a module not included in core.img so either add the modules you need with grub-mkstandalone(1) or grub-mkimage(1), or follow https://wiki.archlinux.org/title/GRUB#Shim-lock.


"The nation-state domesticates the society in the name of capitalism and alienates the community from its natural foundations."
Democratic Confederalism, Abdullah Öcalan.

Offline

#5 2024-09-12 11:07:38

trofo
Member
Registered: 2024-09-01
Posts: 8

Re: Help with secure boot

Perfect. Thank you.

Offline

Board footer

Powered by FluxBB