Even if you only ever plan to run Windows or stock distributions of Linux that already have secure boot support, I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it. The way you do this is by installing your own Platform Key. Once you have done this, you can […]
I’m pleased to announce that the Linux Foundation and its Technical Advisory Board have produced a plan to enable the Linux (and indeed all Open Source based distributions) to continue operating as Secure Boot enabled systems roll out. In a nutshell, the Linux Foundation will obtain a Microsoft Key and sign a small pre-bootloader which […]
All the tools are in the git repository http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary But for ease of consumption, this is now packaged and build by the opensuse build server as installable rpm files. If you install the efitools-0.1.rpm package, it will automatically provision you with Platform Key, Key Exchange Key and db key. The README file in /usr/share/efitools/ explains […]
As of commit a2185c6 sign-efi-sig-list: functional version for time based updates http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary has the capability to construct runtime updates to the secure variables. So far I’ve managed to add extra keys to db; replace KEK and take the platform into setup mode. The Basics The repository now contains an efi program Update.efi which can be […]
Introduction UEFI secure boot is a feature described by the latest UEFI specification (2.3.1c) which is available from the UEFI Forum Site. There have also been numerous blog posts about how UEFI secure boot works (e.g. here or here), so it will not be described here further. The purpose of this site is to keep […]