2893
Comment:
|
2890
|
Deletions are marked like this. | Additions are marked like this. |
Line 84: | Line 84: |
* 5b works with a shell on Vfat-USB stick on from https://github.com/tianocore/edk2/tree/master/ShellBinPkg/UefiShell/X64 saved in '''EFI/BOOT/Shellx64.efi''' and bootet from USB stick. Then it is {{{ | * 5b works with a shell on Vfat-USB stick from https://github.com/tianocore/edk2/tree/master/ShellBinPkg/UefiShell/X64 saved in '''EFI/BOOT/Shellx64.efi''' and bootet from USB stick. Then it is {{{ |
For testing the secure boot feature on a real hardware, the steps below were followed:
1. First of all, a system running an up-to-date Debian unstable is needed
2. Install shim, grub and linux signed packages from unstable:
1 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-1-amd64
3. Download the test certificate:
1 $ wget https://salsa.debian.org/kernel-team/linux/raw/debian/4.19.9-1/debian/certs/test-signing-certs.pem
4. Convert the cerficate to DER format:
1 $ openssl x509 -outform der -in test-signing-certs.pem -out test-signing-certs.der
5. Import the test DER certificate as a MOK (Machine Owner Key). We have two ways of doing that:
- a) Install mokutil and import the certificate using it:
1 $ mokutil --import test-signing-certs.der
- The last command may require a password to manage the keys and certificates.
b) Place the certificate in /boot/efi/EFI/debian and add it using the graphic interface provided by shim. Select to boot from EFI shell and run the following command:
Shell> fs0:\EFI\debian\mmx64.efi
- Then, perfom the actions below:
Select the option Enroll key from disk.
- Select the disk option that represents your EFI partition.
Go to EFI/debian directory.
Select test-signing-certs.der.
Select Continue and confirm the action (Yes).
Now, our test certificate is enrolled and you can select Continue boot. To exit from EFI shell run:
Shell> exit
6. Enable Secure boot
7. Reboot the machine and enjoy the Secure boot feature
Do not forget to check if grub is loading the signed linux image 4.19.0-1-amd64
The steps above were performed in the following hardware until now:
?ThinkPad X230
- Minnowboard Turbot
- HP 250 G4 (using method b)
ASUS ?ZenBook Pro 15 UX550GE
Dell XPS 13 2013 (L322X) failed at 5.
- [2019-01-08] tested by coucouf
mokutil fails with message Failed to enroll new keys and return code 255 after giving a new password twice
- no visible way to get to a UEFI shell on that machine for method b)
- [2019-01-08] tested by coucouf
?ThinkPad Yoga12
mokutil fails with Failed to enroll new keys
5b works with a shell on Vfat-USB stick from https://github.com/tianocore/edk2/tree/master/ShellBinPkg/UefiShell/X64 saved in EFI/BOOT/Shellx64.efi and bootet from USB stick. Then it is
Shell> fs1:\EFI\debian\mmx64.efi
- Bios setting Secure boot to Custom settings needed.