Can you provide instructions for installing custom secure boot keys (PK, KEK, db)? I have checked the user guide and TPS, as well as tried via the BIOS interface. I can clear the existing keys, but it's not obvious how to load my keys. Perhaps I place them on a USB drive with specific filenames?
Good question! The BIOS Glossary talks about a selection that is used for reading the information from a file, but I am not seeing this selection exposed by any of the NUCs.
I would recommend that you review the following documentation:
I am also attaching the "Signing UEFI Applications and Drivers for UEFI Secure Boot" white paper for your reference.
We provide the hardware needed for this implementation but this is more on the software/Operating System side (OEM/Microsoft*)
I hope this helps,
Hi Ronny, thanks for the reply. Sorry, but this is not what I'm asking. I am asking for specific instructions for loading custom secure boot keys into the NUC. You can use NUC8i7HVB as a proxy for the model number since I use many NUCs. Clearly the NUC BIOS intends to support this ability, but I have no idea how to actually load my custom PK, KEK, and db into the NUC.
Thanks for the help,
I just chatted with Chris V. about this request and my understanding is that he is also working with you so we will contact you back as soon as possible.
I was faced with exactly this problem, trying to install VMWare drivers on Ubuntu, running on my NUC.
I followed these instructions to get them built and signed, but it provided no guidance on how to enroll the signed keys into the UEFI on my NUC.
After a boot, F2 brought up the BIOS editor.
On the "Security" tab, under "HDD Security Configuration", there's a "Security Features" link.
Click that brings up a list of configuration settings. The first is "Allow UEFI 3rd party driver loaded".
I checked that and hit F10 to save and reboot.
On reboot, I landed on a page that asked me to select a MOK key, and then to enter its password.
I should have asked or read this first.
Looks like I broke my NUC8i7HVK: replaced the keys using Linux efitools, signed my boot efi's and enabled SecureBoot.
Now I cannot even get into the BIOS. It seems it tries to do something with the display, but nothing is visible.
This "Hades Canyon completely bricked after enabling Secure Boot" does not look very promising.
Any ideas how to fix it?
I had saved the original keys, I think. But since I cannot get a Visual BIOS I cannot do anything.
I even do not know, what's the current state.
No, I only replaced my broken NUC8 with another.
I'm quite confident I'd dead-lock it again if I try the same.
A BIOS update to fix this would be great, but I do not expect anything as it's probably too old, now.
Never get an Intel again, I'd say.
Same problem here. Using an Intel NUC Hades Canyon. I need to install custom PK, KEK and DB, but the option is not available in Secure Boot Config. I have cleared the Secure Boot data, and now my PK is listed as "Not Installed", but the BIOS does not allow me to install one (only the Intel Platform Key can be installed).
This is weird because Secure Boot Mode is said to be "Custom", but it does not allow you to customize the Secure Boot variables (which is the sole purpose of Custom mode).
I tried this with and without the security jumper, but no luck.
I have also updated to the latest BIOS release posted here https://downloadcenter.intel.com/download/30320/BIOS-Update-HNKBLi70-
Is there any way of enrolling those certs from the EFI Shell?
Still no answer from Intel.
I'd not recommend trying this without confirmation that it can work.
The risk is that you cannot access the Visual BIOS anymore after replacing the keys and enabling Secure Boot: effectively a dead-lock, because you need the Visual BIOS to disable Secure Boot.
Intel: is this question still being researched ?
For those with "bricked" NUCs... have you tried to access the BIOS using the power button?
- Make sure the system is off, and not in Hibernate or Sleep mode.
- Press the power button and hold it down for three seconds and release it. The power button menu should display.
Tip: If the system boots to the OS after trying this procedure then you didn't hold the button quite long enough. If the system simply shuts down after trying this procedure, then you held the button too long (longer than 4 seconds).
- Press F2 to enter BIOS Setup.
I'm dealing with a related problem.
See "NUC8i7HVK: replaced secure boot keys (PK, KEK, db), now fails to boot" for what I tried.
I still want to try the same with a Windows-formatted USB stick as Leon suggested. If that does not help, I'll probably go for a replacement.
I wonder, what Intel will do when they get the machine. I guess they have lower-level tools to replace the BIOS with a pristine one (i.e. the original keys).
I'm surprised there's no method to disable Secure Boot in Configuration Mode: i.e. with the Security Jumper removed.
( If such a method exists, please tell me! )
Physically removing the jumper is not something a remote hacker can do, so it would not affect Secure Boot in any way.
My last action before the HDMI display went silent was turning on Secure Boot, so reverting that would probably resolve the issue for now.
NOTE: I mean disabling Secure Boot without anything visible on the HDMI display.
It looks like the NUC's Visual BIOS is a no go for installing custom Secure Boot keys.
There is no "import" function (or it must be hidden very well!)
I had some level of success with KeyTool by following this wiki https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#keytool.
I was able to import the DB and KEK, but my PK don't have the ".auth" format required by KeyTool. In my case, I only have the public part of the PK, and I may need the private part to generate the .auth file.
The process I followed is (on my Fedora 33):
1. Prepare a USB formatted in FAT32 or ExFat (you can also use the boot partition for this, whatever is more confortable)
2. Install efitools: dnf install efitools
3. Copy the /usr/share/efitools/efi/KeyTool.efi into the prepared USB
4. Copy your Secure Boot keys into the USB: KEK and DB must have ".cer" extension, or KeyTool will ignore them. PK must have ".auth" extension. The instructions on how to generate this are in the previously shared link.
5. Reboot and open the Visual BIOS. It is easier if you just set "BIOS Setup Auto-Entry" at this point, because there are several reboots required
6. First we need the platform in Setup Mode. You do this by enabling Secure Boot, and selecting Clear Secure Boot Data. Then, reboot and open the Visual BIOS
7. Now we need to disable Secure Boot in order to enable the Internal EFI Shell. so, disable Secure Boot, then reboot and open the Visual BIOS
8. Now, enable the Internal EFI Shell, then reboot and open the Visual BIOS
9. Select the Internal EFI Shell as the next boot device, and proceed to boot into it.
10. In the Internal EFI Shell, search your prepared USB drive (e.g. ls fs0, ls fs1), and move to it (e.g. fs3:)
11. Run the KeyTool.efi. Follow the menus to import DB, KEK, and PK. Remember that they must be in ".cer" and ".auth" format otherwise Keytool will ignore them
12. Once completed, reboot.
From here you can boot into a Linux OS and run "mokutil --pk", "mokutil --kek", "mokutil --db" to verify that your keys are installed, and use pesign or sbsign to verify that your bootloaders are signed with the correct cert before enabling secure boot. I think it is more easy to use Machine Owner Keys for your kernel (which is a much better documented process).
As I said before, I did not have my PK in ".auth" format, so I was only able to install and verify the KEK and DB. But it looks promising. If somebody make this works, please share!
I think, after step 11,12 you are one step away from where I am in "NUC8i7HVK: replaced secure boot keys (PK, KEK, db), now fails to boot".
I mean, if you now enable Secure Boot in the Visual BIOS I guess you cannot use the Visual BIOS anymore, because it does not have the private key to access the HDMI port or the GPU : i.e. effectively a dead-lock.
Unless Intel provides a way to disable Secure Boot without access to the HDMI display I'd not recommend to try this.
Note that I'm not sure about the state of my NUC8i7HVK, because I do not see anything on the display anymore.
Maybe you can still reload the original keys in the BIOS to prevent the dead-lock ?
I enabled secure boot, and now my NUC does not boot anymore
I think there was no error on my end when generating and installing the keys, and I verified that everything was installed with Mokutils (I was able to see my keys installed there). I was expecting a "Secure Boot violation" screen because I did not sign my bootloader for Secure Boot, but instead I have no video output.
My NUCs are development system, so no data loss for me. I tried the following, and nothing worked:
1. Removing Security Jumper
2. Disconnecting CMOS battery
3. Diverse BIOS Recovery options (F7, Power Button)
I may be able to dig a little bit further.
Thanks very much for confirming my expectation.
I did the same ( I think) and got the same result. ( no, this is not a quote by Albert Einstein )
But you had "cleared the Secure Boot data" ( 03-31-2021 12:43 AM ) before.
I think Intel can at least add a Disable Secure Boot option in the Power Button menu, (maybe active only with the Security Jumper removed). Then we can see, what's wrong and maybe fix it.
Maybe someone can pass these results to the Intel development team ?
I could return the bricked NUC to the shop, but I still hope I can fix it.