Help with secure boot

trofo · 2024-09-12 06:45:25

As indicated at https://github.com/Foxboron/sbctl/wiki/FQ0001 in BIOS I have "Secure boot" set to "Enabled", "Secure Boot Mode" set to "Custom" and "Secure Boot Preset" set to "Maximum Security". Yet:

sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	d84a1399-d218-4881-ba20-bc21c2754f78
Setup Mode:	✗ Enabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft builtin-db builtin-KEK
Firmware:	‼ Your firmware has known quirks
		- FQ0001: Defaults to executing on Secure Boot policy violation (CRITICAL)
		  https://github.com/Foxboron/sbctl/wiki/FQ0001

sudo sbctl verify
Verifying file database and EFI images in /boot/efi...
✓ /boot/efi/EFI/arch/grubx64.efi.signed is signed
✓ /boot/vmlinuz-linux-lts is signed
✓ /boot/vmlinuz-linux-zen is signed
✓ /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed is signed
✓ /boot/efi/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/efi/EFI/arch/grubx64.efi is signed
✓ /boot/efi/EFI/systemd/systemd-bootx64.efi is signed

The only message I see in dmesg seem unrelated to me:

sudo dmesg | grep secure
[    5.660587] amdgpu 0000:2d:00.0: amdgpu: SECUREDISPLAY: securedisplay ta ucode is not available

trofo · 2024-09-12 07:48:23

Just realized after posting the initial message that "Setup Mode: ✗ Enabled", so if I try to take it out of setup mode by stiing "Provision Factory Default keys" to "disabled" then in grub I get "error: prohibited by secure boot policy.".

I guess it's either the fonts that I need to sign or some modules (and don't know which ones).

cryptearth · 2024-09-12 08:05:22

just disable it
SecureBoot is flawed by design: The only case SecureBoot would do anything is if you lock down the system to only execute singed code.
But as it only protects the boot and as soon as you login you can execute any unsigned code anyway the chain of trust is broken.
Turned the question upside-down: What do you think SecureBoot protects you against when you can still run any unsigned code in userland anyway which could use unknown vulnerabilities to gain elevated privileges (or the user be dumb enough to execute such code via sudo) which then harms you anyway?
Or: Why do you only sign the bootloader, the kernel and the initramdisk but then nothin else like any binary or library which they depend on? Why do you trust some random code cloned from some github repo but not your kernel?

SecureBoot is just M$ marketing bullshit - and unless you have a threat vector it can protect against just disable and ignore it and save yourself all that trouble.

Head_on_a_Stick · 2024-09-12 10:31:32

trofo wrote:

if I try to take it out of setup mode by stiing "Provision Factory Default keys" to "disabled" then in grub I get "error: prohibited by secure boot policy."

That happens when GRUB tries to sideload a module not included in core.img so either add the modules you need with grub-mkstandalone(1) or grub-mkimage(1), or follow https://wiki.archlinux.org/title/GRUB#Shim-lock.

trofo · 2024-09-12 11:07:38

Perfect. Thank you.

Arch Linux

#1 2024-09-12 06:45:25

Help with secure boot

#2 2024-09-12 07:48:23

Re: Help with secure boot

#3 2024-09-12 08:05:22

Re: Help with secure boot

#4 2024-09-12 10:31:32

Re: Help with secure boot

#5 2024-09-12 11:07:38

Re: Help with secure boot

Board footer