Community
cancel
Showing results for 
Search instead for 
Did you mean: 
HuckBerry
Beginner
889 Views

How do I enroll custom Platform Key (PK) for Secure Boot

In the UEFI setup, I see options to clear the secure boot keys, to install the default secure boot keys, and to install an Intel-owned PK. I don't see any option to load keys from storage. That's not the end of the world, in fact I prefer to manage secure boot from the OS anyway. I cleared the secure boot keys and rebooted. However, I found that I cannot install a PK via the EFI variable filesystem from linux.

 

Initial state:

* Secure Boot: Enabled (checked)

* Clear Secure Boot Variables on next boot (checked)

 

After one reboot:

* Secure Boot: Enabled (checked)

* Secure Boot Mode: Custom

* PK,KEK,db,dbx: Not Installed

 

Commands:

$ od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot* 6 0 0 0 0   $ ls /sys/firmware/efi/efivars/{PK-*,KEK-*,db-*,dbx-*} ls: cannot access '/sys/firmware/efi/efivars/PK-*': Invalid argument ls: cannot access '/sys/firmware/efi/efivars/KEK-*': Invalid argument ls: cannot access '/sys/firmware/efi/efivars/db-*': Invalid argument ls: cannot access '/sys/firmware/efi/efivars/dbx-*': Invalid argument   $ sbkeysync --verbose --pk --dry-run --keystore /tmp/sb Filesystem keystore: /tmp/sb/db/db.signed [2196 bytes] /tmp/sb/KEK/KEK.signed [2201 bytes] /tmp/sb/PK/PK.signed [2196 bytes] firmware keys: PK: KEK: db: dbx: filesystem keys: PK: /CN=..... from /tmp/sb/PK/PK.signed KEK: /CN=...... from /tmp/sb/KEK/KEK.signed db: /CN=.... from /tmp/sb/db/db.signed dbx: New keys in filesystem: /tmp/sb/db/db.signed /tmp/sb/KEK/KEK.signed /tmp/sb/PK/PK.signed   $ sudo sbkeysync --verbose --pk --keystore /tmp/sb ....same as above, not not a dry run this time... New keys in filesystem: /tmp/sb/db/db.signed /tmp/sb/KEK/KEK.signed /tmp/sb/PK/PK.signed Inserting key update /tmp/sb/db/db.signed into db Inserting key update /tmp/sb/KEK/KEK.signed into KEK Error writing key update: Invalid argument Error syncing keystore file /tmp/sb/KEK/KEK.signed   $ sudo lsattr /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f   lsattr: No such file or directory while trying to stat /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c ----i--------------- /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c ----i--------------- /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f lsattr: No such file or directory while trying to stat /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f   $ sudo chattr -i /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c chattr: No such file or directory while trying to stat /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c   $ sudo sbkeysync --verbose --pk --keystore /tmp/sb ... firmware keys: PK: KEK: db: /CN=... dbx: ... New keys in filesystem: /tmp/sb/KEK/KEK.signed /tmp/sb/PK/PK.signed Inserting key update /tmp/sb/KEK/KEK.signed into KEK Error writing key update: Invalid argument Error syncing keystore file /tmp/sb/KEK/KEK.signed

 

For whatever reason, I can't install the KEK or PK from the operating system and I don't see an option to do it from the UEFI setup either.

Tags (2)
0 Kudos
4 Replies
AlHill
Super User
869 Views

What is the model number of your NUC?

 

Doc

 

HuckBerry
Beginner
869 Views

$ sudo dmidecode ... BIOS Information Vendor: Intel Corp. Version: PYBSWCEL.86A.0055.2016.0812.1130 ... Base Board Information Manufacturer: Intel Corporation Product Name: NUC5PPYB Version: H76558-107

 

Ronny_G_Intel
Moderator
865 Views

Hi HuckBerry,

 

Welcome to our new community platform.

The Intel® NUC Kit NUC5PPYH has been discontinued and we no longer offer interactive support for this product but other community members may collaborate on this request.

I would also recommend that you review the documentation that I am attaching to this post.

 

 

 

 
 
 
 
 
 
HuckBerry
Beginner
860 Views

Thanks for the response. I don't suspect this is specific to the model NUC I have, but rather to the firmware that is likely shared among several models. I subscribed to Michael M's thread as I suspect it's the same question. If you could provide documentation on how to load a custom PK key into the newest model NUC, I could try working backwards from there to see if it works on my NUC.

 

The documentation you linked is a good guide for developing, but it only illustrates testing the signing keys on a virtual machine. My question is how to load the keys into a real NUC.

Reply