# To perform the following instructions, some packages are needed. # They are all installed with apt at the begining of install.sh. ## Create the keys: # run the script mkkeys.sh (better in a dedicated directory) mkdir -p generate_keys && cd generate_keys && cp ../mkkeys.sh . && ./mkkeys.sh ## Signing a UEFI application: # before running the following line (from install.sh) dracut --force -c ./dracut.module/dracut.conf --confdir dracut_tmp # put the following from the signing key in /etc/uefi-key/ # db.cer db.crt db.key ## Add keys to the firmware: # run efi-readvar # if PK, KEK or db is not empty then # reboot and, in the BIOS, disable Secure Boot (SB) and remove every keys # then if we assume the keys have the name mkkeys.sh gives them: # Add the Platform Key (the authority key for the machine). efi-updatevar -f PK.auth PK # Add the Key Exchange Key (the authority key for the db and dbx certificates and hashes) efi-updatevar -a -c KEK.crt -k PK.key KEK # Replace the current whitelist certificate efi-updatevar -f -c DB.crt -k KEK.key db # (replace -f with -a to append another whitelist certificate instead of replacing the old one) ### Troubleshooting # Some general informations: # 1) As a general matter, with Secure Boot (SB) disabled and no key, every key should addable. # 2) A Platform Key is needed for Secure Boot (SB) to be enabled. # 3) To add or modify a key, you need the private key of the upper level (the Platform Key is its own upper level key). ## Common errors: # error: "Failed to update <var>: Operation not permitted" # when trying to delete or replace a key, may be resolved by making it mutable: lsattr /sys/firmware/efi/efivars/{db,dbx,KEK,PK}* # "----i--------------" before the key means it is set as immutable # to make it mutable chattr -i /sys/firmware/efi/efivars/<key> # (example:) chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f # recommanded: make everything immutable after your operation # to do so, perform the same command with +i instead of -i (same example:) chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f # error: "Cannot write to db, wrong filesystem permissions" # may be resolved providing the upper level private key # (note that it can happen even with root mode, as keys are stored on a separate filesystem)