You are not logged in.

#1 2024-12-03 06:55:41

chared
Member
Registered: 2024-09-17
Posts: 7

[SOLVED]Enable secure boot on my Lenovo Ideapad Gaming 3?

This is the output of

# dmidecode -t bios
# dmidecode 3.6
Getting SMBIOS data from sysfs.
SMBIOS 3.3.0 present.

Handle 0x0000, DMI type 0, 26 bytes
BIOS Information
        Vendor: LENOVO
        Version: H3CN46WW(V3.04)
        Release Date: 01/12/2024
        Address: 0xE0000
        Runtime Size: 128 kB
        ROM Size: 16 MB
        Characteristics:
                PCI is supported
                BIOS is upgradeable
                BIOS shadowing is allowed
                Boot from CD is supported
                Selectable boot is supported
                EDD is supported
                Japanese floppy for NEC 9800 1.2 MB is supported (int 13h)
                Japanese floppy for Toshiba 1.2 MB is supported (int 13h)
                5.25"/360 kB floppy services are supported (int 13h)
                5.25"/1.2 MB floppy services are supported (int 13h)
                3.5"/720 kB floppy services are supported (int 13h)
                3.5"/2.88 MB floppy services are supported (int 13h)
                8042 keyboard services are supported (int 9h)
                CGA/mono video services are supported (int 10h)
                ACPI is supported
                USB legacy is supported
                BIOS boot specification is supported
                Targeted content distribution is supported
                UEFI is supported
        BIOS Revision: 1.46
        Firmware Revision: 1.46

Handle 0x0021, DMI type 13, 22 bytes
BIOS Language Information
        Language Description Format: Longs 
        Installable Languages: 4
                en|US|iso8859-1
                fr|FR|iso8859-1
                ja|JP|unicode
                zh|TW|unicode
        Currently Installed Language: en|US|iso8859-1

So, after knowing that my laptop uses Lenovo's UEFI firmware. I read into the wiki and found this (the note in red). Now, I am wondering if my laptop also uses Lenovo CA certificate to sign its UEFI firmware and applications. And, if that is the case what can do to enable secure boot in that case?

MORE INFORMATION-
1. I am dual-booting with windows. So, I'll also be following this.

2. I seem to not have a problem with optionRom files as they are not a part of my bootchain. Read this for more info.

Now, I wanted to figure out a way to know it my UEFI firmware is signed by Lenovo CA certificate or not, and if it is not then validate it. This is all I could find-

$ efi-readvar -v db
Variable db, length 3969
db: List 0, type X509
    Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
db: List 1, type X509
    Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
db: List 2, type X509
    Signature 0, size 798, owner e04fd794-033e-46a0-81d2-048e8da1432e
        Subject:
            CN=OK Certificate
        Issuer:
            CN=OK Certificate

Now, I know "77fa9abd-0359-4d32-bd60-28f4e78f784b" is Microsoft's GUID, but there's another GUID present "e04fd794-033e-46a0-81d2-048e8da1432e". Is this GUID associated with Lenovo? And if it is, will it interfere in the process of enabling secure boot? And, if it "does" interfere how do we solve it?

Last edited by chared (Yesterday 18:07:03)

Offline

#2 2024-12-03 06:59:16

Head_on_a_Stick
Member
From: The Wirral
Registered: 2014-02-20
Posts: 8,347
Website

Re: [SOLVED]Enable secure boot on my Lenovo Ideapad Gaming 3?

If you don't have any OpROMs then it should be safe to remove the manufacturer keys and replace them with your own. Keeping the Microsoft keys and adding your own removes any risk completely so you could do that instead if you're worried. UEFI firmware implementations tend to be very buggy so it's hard to give guarantees.

Last edited by Head_on_a_Stick (2024-12-03 07:00:48)


Para todos todo, para nosotros nada

Online

#3 2024-12-03 07:11:36

chared
Member
Registered: 2024-09-17
Posts: 7

Re: [SOLVED]Enable secure boot on my Lenovo Ideapad Gaming 3?

Head_on_a_Stick wrote:

UEFI firmware implementations tend to be very buggy so it's hard to give guarantees.

Yeah, that's exactly my worry. If something goes wrong, I am pretty much screwed. This wouldn't have been a problem if I could find resources that refer to this same problem.

Offline

#4 Yesterday 02:01:23

Chaseis4344
Member
Registered: 2024-06-29
Posts: 4

Re: [SOLVED]Enable secure boot on my Lenovo Ideapad Gaming 3?

If you are worried about it you could pull out your EFI variables as outlined on this part of the wiki: https://wiki.archlinux.org/title/Unifie … _variables. I would do further research into how to restore the variables as well, I know sbctl can enroll keys, so looking at their mechanism for doing that might help as well.

Offline

#5 Yesterday 18:05:02

chared
Member
Registered: 2024-09-17
Posts: 7

Re: [SOLVED]Enable secure boot on my Lenovo Ideapad Gaming 3?

Update: Everything went well, I just followed the sbctl part on the arch wiki but I also had to enroll my vendor keys with the --firmware-builtin (-f) flag. Again, I don't know if adding this flag does anything, but I wanted to be on the safer side of things.

Offline

Board footer

Powered by FluxBB