They offer different flash templates with latest features.
Login

Forgot password
Register
Back
Written by:
linux22
Score: 0
votes: 6
Format: Awaiting official review

 Linux Mint (but also Ubuntu) - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT


Linux Mint (but also Ubuntu) - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT
Author: Naldi Stefano (linux22 at Mint Forum)
April 2017

Version 1.2

Last update:  30 November 2017

 

Tutorials concerning  the installation of Linux Mint with Full Disk Encryption, directory /boot included:

 

Table of contents


GNU Free Documentation License

GNU GENERAL PUBLIC LICENSE

Disclaimer and acknowledgments

Useful links

How to enable UEFI Secure Boot with your own Custom keys

Step 1 - How to enable PC UEFI Secure Boot and put Secure Boot in Standard Mode

Step 2 - How to install Linux Mint FDE

Step 3 - How to enable PC UEFI Secure Boot, put Secure Boot in Custom Mode and Clear Secure Boot Data

Step 4 - How to create, enroll and activate your Secure Boot own Custom keys in your PC UEFI

Step 5 - Restart your PC UEFI with Secure Boot enabled in Custom Mode

Appendix A - How to set up your Custom keys and Microsoft keys together

Method 1 - Using the original Microsoft UEFI Secure Boot certificates of your PC UEFI platform

Method 2 - Using the original Microsoft UEFI Secure Boot certificates, downloaded from Microsoft repositories

 

 

GNU Free Documentation License
Version 1.3, 3 November 2008

Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT

Copyright (C) 2017 2018 Naldi Stefano.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

You should have received a copy of the "GNU Free Documentation License" along with this document.

If not, see <http://www.gnu.org/licenses/>.

 

 

GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT

Copyright (C) 2017 2018 Naldi Stefano

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the "GNU General Public License" along with this program.

If not, see <http://www.gnu.org/licenses/>.

 

How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT

I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with UEFI Secure Boot enabled. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 18.X (Cinnamon and Mate) and Ubuntu 16.X, 17.X, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.

This tutorial is devoted to a real and hard problem, dealing with UEFI Secure Boot while running a non Windows operating system. Almost every computer sold today has UEFI and Secure Boot capability but its default configuration is done for Windows operating systems, like 8.1 and 10. Here I expose my solution for enabling UEFI Secure Boot on a computer running Linux Mint and also with Full Disk Encryption. This solution provides a full set of Custom Keys (PK, KEK and db) generated by the user (the commands are extracted from 'cryptboot' package, developed by Michal Krenek 'Mikos' on https://github.com/xmikos/cryptboot). With this configuration you can reach the full control of your computer but you will be unable to install a Windows o.s. like 8.1 or 10 while Secure Boot is enabled, unless you decide to reinstall the Microsoft keys (in this case see Appendix A).

My first advice, if you want to install this solution, is that you MUST be familiar with UEFI configuration and with Secure Boot behaviour. My second advice, before attemping to try and install this solution, is that you become familiar with your PC UEFI Firmware Secure Boot configuration parameters and learn how to set them correctly and eventually how to restore the original standard keys (usually there is a specific command that restore Secure Boot in Standard Mode).

I want to thank Michal Krenek (Mikos) for its 'cryptboot' software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation. Altought this package seems developed for ArchLinux we can find within it the rights commands and advices for almost every Linux distribution.

I have tested this solution with Mint 18 and Ubuntu 16.04 only.

As I always state it is better to try this solution with a virtual machine but in this case the only one supporting UEFI Secure Boot emulation for Linux is QEMU/KVM. I have tested this solution with QEMU/KVM and firmware OVMF simulating UEFI with Secure Boot enabled. At the moment it seems working smoothly.

The solution here described require a lot of terminal commands. If the user make a mistake and commit a wrong command he can damage/cancel the software structure of your PC UEFI firmware and HDD. So, if you commit the commands listed in this guide/tutorial using 'Copy' and 'Paste' pay attention to do not alter them.

 

Other useful links are these:

 

  • https://github.com/xmikos/cryptboot
  • https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot
  • https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed-linux-and-initrd
  • http://www.rodsbooks.com/efi-bootloaders/index.html
  • https://bentley.link/secureboot/
  • https://wiki.archlinux.org/index.php/Secure_Boot
  • http://www.tianocore.org/news/2013/03/04/news.html
  • http://www.uefi.org/specifications

 

How to enable UEFI Secure Boot with your own Custom keys

Step 1

Boot your PC and enter UEFI firmware, enable Secure Boot, then put your system in Secure Boot Standard Mode, installing the PC vendor Platform Key (PK) and the default Secure Boot platform keys (KEK, db, dbx, probably supplied by Microsoft).

These operation appear very different in different PC brands. Here you can see an example showing how to prepare UEFI Secure Boot to 'Enabled' and Secure Boot for 'Standard Mode' loading the default key (PK, KEK, db, dbx). This example is taken from a PC with Intel UEFI firmware (in this image you can see my test PC, Intel NUC6I5SYH). Once you have set your UEFI firmware parameters exit saving the changes and reboot. Then re-enter your UEFI firmware.

Here you can see an example showing a PC with Intel UEFI firmware (in this image you can see my test PC, Intel NUC6I5SYH) with UEFI Secure Boot enabled and Secure Boot in Standard Mode.

You can find more information about UEFI firmware specifications at http://www.uefi.org/specifications and at http://www.tianocore.org/news/2013/03/04/news.html (Signing UEFI Images.pdf V1.31.pdf). You can see other examples of various PCs brand UEFI firmware configuration parameters above, in Other useful link.

Remember that enrolling the PK key in your UEFI firmware put your UEFI platform in 'User Mode', as described in paragraph "Enrolling The Platform Key" of UEFI Specification (see http://www.uefi.org/specifications).

 

Step 2

Reboot your PC and start the installation of Linux Mint.

You can install Linux Mint (but also Ubuntu) with the default procedure or perform a Linux Mint Full Disk Encryption installation.

If you install Linux with the default procedure your resulting system will be unencrypted. Therefore at the end of this procedure you must save all the resulting Secure Boot files (contained in the '/boot/efikeys' directory) in a separate and secure place. Then you must delete them from the '/boot/efikeys' directory.

If you install Linux with Full Disk Encryption (e.g. following my tutorials "Linux Mint 17.X and 18.X Full Disk Encryption (directory /boot included) Part 3 - PC with UEFI & HDD with GPT" or "Dual boot for Windows 10 + Linux Mint Full System Encryption (directory /boot included) - PC UEFI and HDD GPT") you can leave all the Secure Boot files in the '/boot/efikeys' directory. Remember that it is always adviseable to back-up the whole content of '/boot/efikeys' directory in a separate and secure place.

It is not mandatory to set your system with Secure Boot enabled and Secure Boot in Standard Mode but if you install Linux Mint on a PC without setting these features you can not set some options during the Ubiquity installation (see the image below).

The second option in this page ''Turn off Secure Boot' appear during Ubiquity installation ONLY if your system has UEFI Secure Boot enabled !!!

Once the installation has finished reboot your PC and check that your brand new Linux Mint, default or FDE, works fine.  Remember that if you have installed Linux Mint with FDE you can boot it only temporarily disabling Secure Boot (the grubx64.efi boot loader is still unsigned).

 

Step 3

Now reboot your PC and enter your UEFI firmware, enable Secure Boot and select Clear Secure Boot Data. These operation appear very different in different PC brands but remember that IT IS MANDATORY to CLEAR the UEFI firmware Secure Boot Data before starting the following procedure.

Here you can see an example showing how to enter UEFI Secure Boot Custom Mode selecting Clear Secure Boot Data on PC with Intel UEFI firmware (in this image you can see my test PC, Intel NUC6I5SYH). Exit UEFI firmware saving the changes and reboot your PC.

Before dealing with the following sets of terminal commands you MUST BE SURE that you have successully set your PC UEFI firmware with Secure Boot enabled, Secure Boot in Custom Mode and selected Clear Secure Boot Data !!!

Remember that clearing the PK key in your UEFI firmware put your UEFI platform in 'Setup Mode', as described in paragraph "Clearing The Platform Key" of UEFI Specification (see http://www.uefi.org/specifications).

Lacking these conditions lead to a non effective Secure Boot configuration !!!

 

Step 4

Once you have successfully installed the Linux Mint FDE solution as described in Step 2 and set your PC UEFI firmware with Secure Boot enabled, Secure Boot in Custom Mode and selected Clear Secure Boot Data, as described in Step 3, you can begin the procedure to enable UEFI Secure Boot with your own custom keys. This is possible with a few other commands required for the generation and installation of the keys and for the signature and verification of the EFI boot loader.

So once you have started your brand new Linux Mint FDE system open a Terminal window and commit the following 3 Terminal command:

sudo -i

apt-get update

apt-get -y install secureboot-db sbsigntool efitools efivar fwts openssl

The first command put your Terminal in root mode, while the two other install the packages required for dealing with UEFI Secure Boot.

-----

Now commit the following 5 commands:

mkdir -p /boot/efikeys

cd /boot/efikeys

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=linux22 PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=linux22 KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=linux22 db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256

The first and second commands build a new directory under /boot, where we put the files required for UEFI Secure Boot with your own custom keys. The last three commands build the x509 certificates for PK, KEK and db. Remember that you can set 'CN' parameter at your own will.

-----

Now commit the following 3 commands:

openssl x509 -in PK.crt -out PK.cer -outform DER

openssl x509 -in KEK.crt -out KEK.cer -outform DER

openssl x509 -in db.crt -out db.cer -outform DER

These commands create the x509 certificates in DER format.

-----

Now commit the following 3 commands:

GUID="$(uuidgen --random)"

echo "$GUID" > GUID

echo "GUID = $GUID"

These commands generate your own GUID for your certificates and save it in file /boot/efikeys/GUID.

-----

Now commit the following 7 commands:

cert-to-efi-sig-list -g $GUID PK.crt PK.esl

cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl

cert-to-efi-sig-list -g $GUID db.crt db.esl

echo -n > PK_null.esl

sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth

sign-efi-sig-list -k PK.key -c PK.crt PK PK_null.esl PK_null.auth

sync

The first six commands create your PK, KEK and db certificates in esl format, the last one sync the system.  

-----

Now commit the following 3 commands:

efi-updatevar -e -f KEK.esl KEK

efi-updatevar -e -f db.esl db

efi-updatevar -f PK.auth PK

These commands enroll your own custom key (certificates) in your PC UEFI firmware. If you get errors during this phase you have probably failed while setting your PC UEFI firmware with Secure Boot enabled or Secure Boot in Custom mode or selecting Clear Secure Boot Data.

Committing the third command the PK key is enrolled in the UEFI firmware, putting the UEFI platform in 'User Mode', as described in paragraph "Enrolling The Platform Key" of UEFI Specification (see http://www.uefi.org/specifications).

-----

Now commit the following 3 commands:

update-grub

grub-mkconfig -o /boot/grub/grub.cfg

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Mint --boot-directory=/boot --modules="all_video boot btrfs cat chain configfile crypto cryptodisk disk diskfilter echo efifwsetup efinet ext2 fat font gettext gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg keystatus loadenv loopback linux linuxefi lsefi lsefimmap lsefisystab lssal luks lvm mdraid09 mdraid1x memdisk minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png raid5rec raid6rec reboot search search_fs_uuid search_fs_file search_label sleep squash4 test true verify video zfs zfscrypt zfsinfo" --recheck

These commands rebuild your GRUB EFI boot file, named '/boot/efi/EFI/Mint/grubx64.efi' and create an EFI NVRAM entry named 'Mint'

-----

Now commit the following 7 commands:

cp -b -f /boot/efi/EFI/Mint/grubx64.efi /boot/efi/EFI/BOOT/bootx64.efi

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/Mint/grubx64.efi /boot/efi/EFI/Mint/grubx64.efi

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/BOOT/bootx64.efi /boot/efi/EFI/BOOT/bootx64.efi

sync

sbverify --cert db.crt /boot/efi/EFI/Mint/grubx64.efi

sbverify --cert db.crt /boot/efi/EFI/BOOT/bootx64.efi

exit

These commands create the usual default UEFI boot entry, sign your grubx64.efi and bootx64.efi files, sync your system, verify your files signature and exit from your root Terminal. If you do not need a default UEFI boot entry you can skip the first, third and sixth commands.

Remember that you MUST sign the grubx64.efi and eventually bootx64.efi files EVERY TIME THAT THEY ARE REBUILD (i.e after new kernel installation, GRUB update, ecc.).

 

Step 5

Now reboot your PC and enter UEFI firmware.

These operation appear very different in different PC brands. Here you can see an example showing an Intel PC UEFI firmware with Secure Boot enabled and Secure Boot in Custom Mode (in this image you can see my test PC, Intel NUC6I5SYH).

Now you can restart your PC, finally with Secure Boot enabled and Secure Boot in Custom Mode.

Now only the boot loader files signed with your own Custom keys can boot your PC.

If you have installed Linux Mint with Full Disk Encryption (as recommended above) only one file remain still exposed out of the encrypted partition. This file is the EFI boot loader 'grubx64.efi'. But now also this file is protected because UEFI Secure Boot is enabled. In this way you can counteract an "Evil Maid Attack".

REMEMBER THAT YOU MUST SET A SUPERUSER/SUPEVISOR PASSWORD FOR YOUR UEFI FIRMWARE and thus preventing unauthorized people to disable Secure Boot !!!

Nevertheless you must be aware that you are still vulnerable because an attacker can install an hardware keylogger on your PC or reflash your UEFI firmware or reset it and thus remove the Superuser/Supervisor password and/or disable Secure Boot.

My last advice is to save the whole content of your '/boot/efikeys' directory in a SEPARATE and SECURE place.

 

Appendix A - How to set up your Custom keys and Microsoft keys together

If you want to install your own Custom keys but also retain the Microsoft keys you can use one of the following two method.

But why ?

Because you need to boot a Linux Live CD without disabling Secure Boot (e.g. to  access your encrypted partition, as described in Appendix B of my tutorial LINUX MINT FDE FOR PC UEFI + HDD GPT) ?

Or because you want to install a dual boot system with Windows and Linux Mint (e.g. like that described in my tutorial DUAL BOOT FOR WINDOWS 10 & LINUX MINT FOR PC UEFI + HDD GPT) with Secure Boot enabled ?

In both methods we are using the compendium (Custom + Microsoft) .esl files using 'cat' to merge the .esl keys together. That is adviseable because some PC UEFI (like my test PC NUCI6I5SYH) exhibit the "you can only set new values, but not append to them" firmware bug.

For more details see https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot.
 

Method 1 - Using the original Microsoft UEFI Secure Boot certificates of your PC UEFI platform

My opinion is that this method is more secure. Furthemore you can also restore dbx certificates.

Follow this tutorial from Step 1 and at the end of Step 2, after you have installed your brand new Linux Mint, reboot, login and commit the following 2 Terminal commands:

sudo apt-get update

sudo apt-get -y install secureboot-db sbsigntool efitools efivar fwts openssl


Once you have successfully installed these UEFI Secure Boot tools commit the following 5 commands:


sudo mkdir -p /boot/efikeys

sudo efi-readvar -v PK -o /boot/efikeys/old_PK.esl

sudo efi-readvar -v KEK -o /boot/efikeys/old_KEK.esl

sudo efi-readvar -v db -o /boot/efikeys/old_db.esl

sudo efi-readvar -v dbx -o /boot/efikeys/old_dbx.esl


These commands save your original PC UEFI PK, KEK, db and dbx certificates (in .esl format) inside directory '/boot/efikeys'. Remember that your PC UEFI firmware is still in Standard Mode, then the saved keys are those from Microsoft (KEK, db, dbx) and your PC vendor (PK).

Go ahead until the end of Step 3, skip Step 4 and commit instead the following set of commands:

sudo -i

cd /boot/efikeys

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=linux22 PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=linux22 KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=linux22 db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256

openssl x509 -in PK.crt -out PK.cer -outform DER

openssl x509 -in KEK.crt -out KEK.cer -outform DER

openssl x509 -in db.crt -out db.cer -outform DER

GUID="$(uuidgen --random)"

echo "$GUID" > GUID

echo "GUID = $GUID"

cert-to-efi-sig-list -g $GUID PK.crt PK.esl

cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl

cert-to-efi-sig-list -g $GUID db.crt db.esl

echo -n > PK_null.esl

sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth

sign-efi-sig-list -k PK.key -c PK.crt PK PK_null.esl PK_null.auth

sync

cat old_KEK.esl >> KEK.esl

cat old_db.esl >> db.esl

efi-updatevar -e -f KEK.esl KEK

efi-updatevar -e -f db.esl db

efi-updatevar -e -f old_dbx.esl dbx

efi-updatevar -f PK.auth PK

update-grub

grub-mkconfig -o /boot/grub/grub.cfg

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Mint --boot-directory=/boot --modules="all_video boot btrfs cat chain configfile crypto cryptodisk disk diskfilter echo efifwsetup efinet ext2 fat font gettext gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg keystatus loadenv loopback linux linuxefi lsefi lsefimmap lsefisystab lssal luks lvm mdraid09 mdraid1x memdisk minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png raid5rec raid6rec reboot search search_fs_uuid search_fs_file search_label sleep squash4 test true verify video zfs zfscrypt zfsinfo" --recheck

cp -b -f /boot/efi/EFI/Mint/grubx64.efi /boot/efi/EFI/BOOT/bootx64.efi

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/Mint/grubx64.efi /boot/efi/EFI/Mint/grubx64.efi

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/BOOT/bootx64.efi /boot/efi/EFI/BOOT/bootx64.efi

sync

sbverify --cert db.crt /boot/efi/EFI/Mint/grubx64.efi

sbverify --cert db.crt /boot/efi/EFI/BOOT/bootx64.efi

exit
 

Now your Custom keys and Microsoft keys are loaded together in your PC UEFI firmware and you can go on to Step 5.

 

Method 2 - Using the original Microsoft UEFI Secure Boot certificates, downloaded from Microsoft repositories


Remember that with this method YOU CAN NOT RESTORE dbx keys (certificates).

Follow this tutorial from Step 1 and at the end of step 2, after you have installed your brand new Linux Mint, reboot, login and commit the following Terminal command:

sudo mkdir -p /boot/efikeys
 

Now download the following 3 files from Microsoft repository on Internet, saving them inside '/boot/efikeys' directory (for more details see https://firmware.intel.com/messages/219):

http://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt

http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt

http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt

 

Remember that the correct Microsoft GUID for these certificates is: 77fa9abd-0359-4d32-bd60-28f4e78f784b


Go ahead until the end of Step 3, skip Step 4 and commit the following set of commands:

sudo -i

apt-get update

apt-get -y install secureboot-db sbsigntool efitools efivar fwts openssl

cd /boot/efikeys

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=linux22 PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=linux22 KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=linux22 db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256

openssl x509 -in PK.crt -out PK.cer -outform DER

openssl x509 -in KEK.crt -out KEK.cer -outform DER

openssl x509 -in db.crt -out db.cer -outform DER

GUID="$(uuidgen --random)"

echo "$GUID" > GUID

echo "GUID = $GUID"

cert-to-efi-sig-list -g $GUID PK.crt PK.esl

cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl

cert-to-efi-sig-list -g $GUID db.crt db.esl

echo -n > PK_null.esl

sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth

sign-efi-sig-list -k PK.key -c PK.crt PK PK_null.esl PK_null.auth

openssl x509 -inform DER -outform PEM -in MicCorKEKCA2011_2011-06-24.crt -out MicCorKEKCA2011_2011-06-24.crt.pem

openssl x509 -inform DER -outform PEM -in MicWinProPCA2011_2011-10-19.crt -out MicWinProPCA2011_2011-10-19.crt.pem

openssl x509 -inform DER -outform PEM -in MicCorUEFCA2011_2011-06-27.crt -out MicCorUEFCA2011_2011-06-27.crt.pem

cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorKEKCA2011_2011-06-24.crt.pem MS_KEK.esl

cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicWinProPCA2011_2011-10-19.crt.pem MS_Win_db.esl

cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b MicCorUEFCA2011_2011-06-27.crt.pem MS_UEFI_db.esl

sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k PK.key -c PK.crt KEK MS_KEK.esl MS_KEK.auth

sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db MS_Win_db.esl add_MS_Win_db.auth

sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db MS_UEFI_db.esl add_MS_UEFI_db.auth

sync

cat MS_KEK.esl >> KEK.esl

cat MS_Win_db.esl MS_UEFI_db.esl >> db.esl

efi-updatevar -e -f KEK.esl KEK

efi-updatevar -e -f db.esl db

efi-updatevar -f PK.auth PK

update-grub

grub-mkconfig -o /boot/grub/grub.cfg

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Mint --boot-directory=/boot --modules="all_video boot btrfs cat chain configfile crypto cryptodisk disk diskfilter echo efifwsetup efinet ext2 fat font gettext gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg keystatus loadenv loopback linux linuxefi lsefi lsefimmap lsefisystab lssal luks lvm mdraid09 mdraid1x memdisk minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png raid5rec raid6rec reboot search search_fs_uuid search_fs_file search_label sleep squash4 test true verify video zfs zfscrypt zfsinfo" --recheck

cp -b -f /boot/efi/EFI/Mint/grubx64.efi /boot/efi/EFI/BOOT/bootx64.efi

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/Mint/grubx64.efi /boot/efi/EFI/Mint/grubx64.efi

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/BOOT/bootx64.efi /boot/efi/EFI/BOOT/bootx64.efi

sync

sbverify --cert db.crt /boot/efi/EFI/Mint/grubx64.efi

sbverify --cert db.crt /boot/efi/EFI/BOOT/bootx64.efi

exit
 

Now your Custom keys and Microsoft keys are loaded together in your PC UEFI firmware and you can go on to Step 5.

 


 

The topic for this tutorial at the Mint Forum is: https://forums.linuxmint.com/viewtopic.php?t=198077
 

Counter for tumblr
Hits since 20/04/2017


Tags: linux mint ubuntu fde full disk encryption /boot included bios uefi mbr gpt secure boot setup user standard custom mode clear data
Created: 1 year ago.
Last edited: 3 months ago.


Comments

No comments so far.

Other tutorials from linux22