UEFI Secure Boot
This material is work-in-progress ...
Do not follow instructions here until this notice is removed.
Prepare mount point for UEFI partition (ESP) at /boot/efi:
Add the following line to /etc/fstab:
UUID=<first-partition-uuid> /boot/efi vfat rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
Generating own UEFI keys
Before creating new keys and modifying EFI variables, it is advisable to backup the current variables, so that they may be restored in case of error:
Generate your self-signed PK, KEK and db key, including .esl and .auth files:
Now you can uninstallif you want:
Generating Unified Kernel Image
Install packageand :
cmdline in /etc/kernel-hooks.d/secureboot.conf. It should not contain an
initrd= parameter! Example of a valid
Run kernel hooks:
Add boot entry:
Enrolling UEFI keys
Copy all *.esl, *.auth files from /etc/uefi-keys to a FAT formatted file system (you can use EFI system partition).
Launch firmware setup utility and enrol db, KEK and PK certificates (in this order!). Firmwares have various different interfaces; the following steps for ThinkPad T14s are just an example.
- Reboot system and enter ThinkPad Setup (F1).
- Go to Security > Secure Boot
- Change Secure Boot to Enabled
- Reset to Setup Mode
- Go to Key Management
- Authorized Signature Database (DB)
- Enroll DB > select your Flash Drive > select db.auth
- Delete DB > delete Microsoft certificates (optional)
- Key Exchange Key (KEK)
- Enroll KEK > select your Flash Drive > select KEK.auth
- Delete KEK > delete Microsoft certificates (optional)
- Platform Key (PK) > Enroll PK > select your Flash Drive > select PK.auth (this MUST be the last!)
- Go to top, Restart > Exit Saving Changes