Differences between revisions 11 and 12
Revision 11 as of 2019-01-09 10:50:00
Size: 2893
Editor: ?cy8aer
Comment:
Revision 12 as of 2019-01-09 10:52:06
Size: 2890
Editor: ?cy8aer
Comment:
Deletions are marked like this. Additions are marked like this.
Line 84: Line 84:
      * 5b works with a shell on Vfat-USB stick on from https://github.com/tianocore/edk2/tree/master/ShellBinPkg/UefiShell/X64 saved in '''EFI/BOOT/Shellx64.efi''' and bootet from USB stick. Then it is {{{       * 5b works with a shell on Vfat-USB stick from https://github.com/tianocore/edk2/tree/master/ShellBinPkg/UefiShell/X64 saved in '''EFI/BOOT/Shellx64.efi''' and bootet from USB stick. Then it is {{{

For testing the secure boot feature on a real hardware, the steps below were followed:

1. First of all, a system running an up-to-date Debian unstable is needed

2. Install shim, grub and linux signed packages from unstable:

   1 $ apt install shim-signed grub-efi-amd64-signed linux-image-4.19.0-1-amd64

3. Download the test certificate:

   1 $ wget https://salsa.debian.org/kernel-team/linux/raw/debian/4.19.9-1/debian/certs/test-signing-certs.pem

4. Convert the cerficate to DER format:

   1 $ openssl x509 -outform der -in test-signing-certs.pem -out test-signing-certs.der

5. Import the test DER certificate as a MOK (Machine Owner Key). We have two ways of doing that:

  • a) Install mokutil and import the certificate using it:

   1 $ mokutil --import test-signing-certs.der
  • The last command may require a password to manage the keys and certificates.
  • b) Place the certificate in /boot/efi/EFI/debian and add it using the graphic interface provided by shim. Select to boot from EFI shell and run the following command:

Shell> fs0:\EFI\debian\mmx64.efi
  • Then, perfom the actions below:
    • Select the option Enroll key from disk.

    • Select the disk option that represents your EFI partition.
    • Go to EFI/debian directory.

    • Select test-signing-certs.der.

    • Select Continue and confirm the action (Yes).

  • Now, our test certificate is enrolled and you can select Continue boot. To exit from EFI shell run:

Shell> exit

6. Enable Secure boot

7. Reboot the machine and enjoy the Secure boot feature :)

Do not forget to check if grub is loading the signed linux image 4.19.0-1-amd64

The steps above were performed in the following hardware until now:

  • ?ThinkPad X230

  • Minnowboard Turbot
  • HP 250 G4 (using method b)
  • ASUS ?ZenBook Pro 15 UX550GE

  • Dell XPS 13 2013 (L322X) failed at 5.

    • [2019-01-08] tested by coucouf
      • mokutil fails with message Failed to enroll new keys and return code 255 after giving a new password twice

      • no visible way to get to a UEFI shell on that machine for method b)
  • ?ThinkPad Yoga12