Intel® NUCs
Assistance in Intel® NUC products
Announcements
The Intel sign-in experience has changed to support enhanced security controls. If you sign in, click here for more information.
12987 Discussions

How do I enroll custom Platform Key (PK) for Secure Boot

HuckBerry
Beginner
‎06-14-2020 01:45 AM
8,848 Views

In the UEFI setup, I see options to clear the secure boot keys, to install the default secure boot keys, and to install an Intel-owned PK. I don't see any option to load keys from storage. That's not the end of the world, in fact I prefer to manage secure boot from the OS anyway. I cleared the secure boot keys and rebooted. However, I found that I cannot install a PK via the EFI variable filesystem from linux.

 

Initial state:

* Secure Boot: Enabled (checked)

* Clear Secure Boot Variables on next boot (checked)

 

After one reboot:

* Secure Boot: Enabled (checked)

* Secure Boot Mode: Custom

* PK,KEK,db,dbx: Not Installed

 

Commands:

$ od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot* 6 0 0 0 0   $ ls /sys/firmware/efi/efivars/{PK-*,KEK-*,db-*,dbx-*} ls: cannot access '/sys/firmware/efi/efivars/PK-*': Invalid argument ls: cannot access '/sys/firmware/efi/efivars/KEK-*': Invalid argument ls: cannot access '/sys/firmware/efi/efivars/db-*': Invalid argument ls: cannot access '/sys/firmware/efi/efivars/dbx-*': Invalid argument   $ sbkeysync --verbose --pk --dry-run --keystore /tmp/sb Filesystem keystore: /tmp/sb/db/db.signed [2196 bytes] /tmp/sb/KEK/KEK.signed [2201 bytes] /tmp/sb/PK/PK.signed [2196 bytes] firmware keys: PK: KEK: db: dbx: filesystem keys: PK: /CN=..... from /tmp/sb/PK/PK.signed KEK: /CN=...... from /tmp/sb/KEK/KEK.signed db: /CN=.... from /tmp/sb/db/db.signed dbx: New keys in filesystem: /tmp/sb/db/db.signed /tmp/sb/KEK/KEK.signed /tmp/sb/PK/PK.signed   $ sudo sbkeysync --verbose --pk --keystore /tmp/sb ....same as above, not not a dry run this time... New keys in filesystem: /tmp/sb/db/db.signed /tmp/sb/KEK/KEK.signed /tmp/sb/PK/PK.signed Inserting key update /tmp/sb/db/db.signed into db Inserting key update /tmp/sb/KEK/KEK.signed into KEK Error writing key update: Invalid argument Error syncing keystore file /tmp/sb/KEK/KEK.signed   $ sudo lsattr /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f   lsattr: No such file or directory while trying to stat /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c ----i--------------- /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c ----i--------------- /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f lsattr: No such file or directory while trying to stat /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f   $ sudo chattr -i /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c chattr: No such file or directory while trying to stat /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c   $ sudo sbkeysync --verbose --pk --keystore /tmp/sb ... firmware keys: PK: KEK: db: /CN=... dbx: ... New keys in filesystem: /tmp/sb/KEK/KEK.signed /tmp/sb/PK/PK.signed Inserting key update /tmp/sb/KEK/KEK.signed into KEK Error writing key update: Invalid argument Error syncing keystore file /tmp/sb/KEK/KEK.signed

 

For whatever reason, I can't install the KEK or PK from the operating system and I don't see an option to do it from the UEFI setup either.

0 Kudos

Link Copied

4 Replies
AlHill
Super User
‎06-14-2020 02:19 AM
8,828 Views

What is the model number of your NUC?

 

Doc

 

Copy link
HuckBerry
Beginner
‎06-14-2020 02:38 AM
8,828 Views
In response to AlHill
$ sudo dmidecode ... BIOS Information Vendor: Intel Corp. Version: PYBSWCEL.86A.0055.2016.0812.1130 ... Base Board Information Manufacturer: Intel Corporation Product Name: NUC5PPYB Version: H76558-107

 

In response to AlHill
0 Kudos
Copy link
Ronny_G_Intel
Community Manager
‎06-24-2020 08:44 AM
8,824 Views
In response to HuckBerry

Hi HuckBerry,

 

Welcome to our new community platform.

The Intel® NUC Kit NUC5PPYH has been discontinued and we no longer offer interactive support for this product but other community members may collaborate on this request.

I would also recommend that you review the documentation that I am attaching to this post.

 

 

 

 
 
 
 
 
 
In response to HuckBerry
Preview file
1330 KB
0 Kudos
Copy link
HuckBerry
Beginner
‎06-24-2020 11:48 PM
8,819 Views
In response to Ronny_G_Intel

Thanks for the response. I don't suspect this is specific to the model NUC I have, but rather to the firmware that is likely shared among several models. I subscribed to Michael M's thread as I suspect it's the same question. If you could provide documentation on how to load a custom PK key into the newest model NUC, I could try working backwards from there to see if it works on my NUC.

 

The documentation you linked is a good guide for developing, but it only illustrates testing the signing keys on a virtual machine. My question is how to load the keys into a real NUC.

In response to Ronny_G_Intel
0 Kudos
Copy link
Reply

For more complete information about compiler optimizations, see our Optimization Notice.