Intel® NUCs
Support for Intel® NUC products
Announcements
Do you have improvements you would like us to make on this community site? If so, we would love to hear your feedback! Click here for an 8 question survey. Thanks!

11324 Discussions

How to install custom secure boot keys (PK, KEK, db)?

Michael_M_Intel
Employee
2,468 Views

Can you provide instructions for installing custom secure boot keys (PK, KEK, db)? I have checked the user guide and TPS, as well as tried via the BIOS interface. I can clear the existing keys, but it's not obvious how to load my keys. Perhaps I place them on a USB drive with specific filenames?

 

Thanks

0 Kudos
16 Replies
n_scott_pearson
Super User Retired Employee
2,380 Views

Good question! The BIOS Glossary talks about a selection that is used for reading the information from a file, but I am not seeing this selection exposed by any of the NUCs.

...S

Ronny_G_Intel
Moderator
2,380 Views

Hi MMill31,

 

I would recommend that you review the following documentation:

 

Frequently Asked Questions about Secure Boot

Deploying Secure Boot: Key Creation and Management

 

I am also attaching the "Signing UEFI Applications and Drivers for UEFI Secure Boot" white paper for your reference.

We provide the hardware needed for this implementation but this is more on the software/Operating System side (OEM/Microsoft*)

 

I hope this helps,

Ronny G

 

 

 

Michael_M_Intel
Employee
2,380 Views

Hi Ronny, thanks for the reply. Sorry, but this is not what I'm asking. I am asking for specific instructions for loading custom secure boot keys into the NUC. You can use NUC8i7HVB as a proxy for the model number since I use many NUCs. Clearly the NUC BIOS intends to support this ability, but I have no idea how to actually load my custom PK, KEK, and db into the NUC.

 

Thanks for the help,

Mike

Ronny_G_Intel
Moderator
2,380 Views

Hi Mike,

 

I just chatted with Chris V. about this request and my understanding is that he is also working with you so we will contact you back as soon as possible.

 

Thanks,

Ronny G

HuckBerry
Beginner
2,376 Views

I would also be interested in knowing the outcome of this discussion.

jdege
Beginner
2,118 Views

I was faced with exactly this problem, trying to install VMWare drivers on Ubuntu, running on my NUC.

I followed these instructions to get them built and signed, but it provided no guidance on how to enroll the signed keys into the UEFI on my NUC.

After a boot, F2 brought up the BIOS editor.

On the "Security" tab, under "HDD Security Configuration", there's a "Security Features" link.

Click that brings up a list of configuration settings. The first is "Allow UEFI 3rd party driver loaded".

I checked that and hit F10 to save and reboot.

On reboot, I landed on a page that asked me to select a MOK key, and then to enter its password.

Hans_Bausewein
New Contributor I
2,001 Views

I should have asked or read this first.

 

Looks like I broke my NUC8i7HVK: replaced the keys using Linux efitools, signed my boot efi's and enabled SecureBoot.

Now I cannot even get into the BIOS. It seems it tries to do something with the display, but nothing is visible.

This "Hades Canyon completely bricked after enabling Secure Boot"  does not look very promising.

Any ideas how to fix it?
I had saved the original keys, I think. But since I cannot get a Visual BIOS I cannot do anything.

I even do not know, what's the current state.

Hans

Nicolas_O_Intel
Employee
1,928 Views

Same problem here. Using an Intel NUC Hades Canyon. I need to install custom PK, KEK and DB, but the option is not available in Secure Boot Config. I have cleared the Secure Boot data, and now my PK is listed as "Not Installed", but the BIOS does not allow me to install one (only the Intel Platform Key can be installed).

This is weird because Secure Boot Mode is said to be "Custom", but it does not allow you to customize the Secure Boot variables (which is the sole purpose of Custom mode).

I tried this with and without the security jumper, but no luck.

I have also updated to the latest BIOS release posted here https://downloadcenter.intel.com/download/30320/BIOS-Update-HNKBLi70-

 Is there any way of enrolling those certs from the EFI Shell?

Hans_Bausewein
New Contributor I
1,800 Views

Still no answer from Intel.

I'd not recommend trying this without confirmation that it can work.

The risk is that you cannot access the Visual BIOS anymore after replacing the keys and enabling Secure Boot: effectively a dead-lock, because you need the Visual BIOS to disable Secure Boot.

Intel: is this question still being researched ?

Hans

MikeAnt
Beginner
1,760 Views

For those with "bricked" NUCs... have you tried to access the BIOS using the power button?

  1. Make sure the system is off, and not in Hibernate or Sleep mode.
  2. Press the power button and hold it down for three seconds and release it.  The power button menu should display.
    Tip: If the system boots to the OS after trying this procedure then you didn't hold the button quite long enough. If the system simply shuts down after trying this procedure, then you held the button too long (longer than 4 seconds).
  3. Press F2 to enter BIOS Setup.

https://www.intel.com/content/www/us/en/support/articles/000005847/intel-nuc.html

I'm dealing with a related problem.

 

Hans_Bausewein
New Contributor I
1,755 Views

@MikeAnt 

See "NUC8i7HVK: replaced secure boot keys (PK, KEK, db), now fails to boot" for what I tried.

 

I still want to try the same with a Windows-formatted USB stick as Leon suggested. If that does not help, I'll probably go for a replacement.

 

I wonder, what Intel will do when they get the machine. I guess they have lower-level tools to replace the BIOS with a pristine one (i.e. the original keys).

I'm surprised there's no method to disable Secure Boot in Configuration Mode: i.e. with the Security Jumper removed.

( If such a method exists, please tell me! )

Physically removing the jumper is not something a remote hacker can do, so it would not affect Secure Boot in any way.

My last action before the HDMI display went silent was turning on Secure Boot, so reverting that would probably resolve the issue for now.

NOTE: I mean disabling Secure Boot without anything visible on the HDMI display.

Regards,

Hans

Nicolas_O_Intel
Employee
1,735 Views

It looks like the NUC's Visual BIOS is a no go for installing custom Secure Boot keys.

There is no "import" function (or it must be hidden very well!)

 

I had some level of success with KeyTool by following this wiki https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#keytool.

 

I was able to import the DB and KEK, but my PK don't have the ".auth" format required by KeyTool. In my case, I only have the public part of the PK, and I may need the private part to generate the .auth file. 

 

The process I followed is (on my Fedora 33):

1. Prepare a USB formatted in FAT32 or ExFat (you can also use the boot partition for this, whatever is more confortable)

2. Install efitools: dnf install efitools

3. Copy the /usr/share/efitools/efi/KeyTool.efi into the prepared USB

4. Copy your Secure Boot keys into the USB: KEK and DB must have ".cer" extension, or KeyTool will ignore them. PK must have ".auth" extension. The instructions on how to generate this are in the previously shared link.

5. Reboot and open the Visual BIOS. It is easier if you just set "BIOS Setup Auto-Entry" at this point, because there are several reboots required

6. First we need the platform in Setup Mode. You do this by enabling Secure Boot, and selecting Clear Secure Boot Data. Then, reboot and open the Visual BIOS

7. Now we need to disable Secure Boot in order to enable the Internal EFI Shell. so, disable Secure Boot, then reboot and open the Visual BIOS

8. Now, enable the Internal EFI Shell, then reboot and open the Visual BIOS

9. Select the Internal EFI Shell as the next boot device, and proceed to boot into it.

10. In the Internal EFI Shell, search your prepared USB drive (e.g. ls fs0, ls fs1), and move to it (e.g. fs3:)

11. Run the KeyTool.efi. Follow the menus to import DB, KEK, and PK. Remember that they must be in ".cer" and ".auth" format otherwise Keytool will ignore them

12. Once completed, reboot.

 

From here you can boot into a Linux OS and run "mokutil --pk", "mokutil --kek", "mokutil --db" to verify that your keys are installed, and use pesign or sbsign to verify that your bootloaders are signed with the correct cert before enabling secure boot. I think it is more easy to use Machine Owner Keys for your kernel (which is a much better documented process). 

As I said before, I did not have my PK in ".auth" format, so I was only able to install and verify the KEK and DB. But it looks promising. If somebody make this works, please share!

 

 

Hans_Bausewein
New Contributor I
1,730 Views

@Nicolas_O_Intel 

 

I think, after step 11,12 you are one step away from where I am in "NUC8i7HVK: replaced secure boot keys (PK, KEK, db), now fails to boot".

 

I mean, if you now enable Secure Boot in the Visual BIOS I guess you cannot use the Visual BIOS anymore, because it does not have the private key to access the HDMI port or the GPU : i.e. effectively a dead-lock.

 

Unless Intel provides a way to disable Secure Boot without access to the HDMI display I'd not recommend to try this.

Note that I'm not sure about the state of my NUC8i7HVK, because I do not see anything on the display anymore.

Maybe you can still reload the original keys in the BIOS to prevent the dead-lock ?

 

Regards,

 

Hans


 

 
Hans_Bausewein
New Contributor I
1,685 Views

@Nicolas_O_Intel 

Just curious: did it work ?

I mean, are you running Secure Boot with the your own keys ?

Hans

Nicolas_O_Intel
Employee
1,671 Views

@Hans_Bausewein 

 

I enabled secure boot, and now my NUC does not boot anymore

I think there was no error on my end when generating and installing the keys, and I verified that everything was installed with Mokutils (I was able to see my keys installed there). I was expecting a "Secure Boot violation" screen because I did not sign my bootloader for Secure Boot, but instead I have no video output.

My NUCs are development system, so no data loss for me. I tried the following, and nothing worked:

1. Removing Security Jumper

2. Disconnecting CMOS battery

3. Diverse BIOS Recovery options (F7, Power Button)

 

I may be able to dig a little bit further. 

Hans_Bausewein
New Contributor I
1,659 Views

@Nicolas_O_Intel 

Thanks very much for confirming my expectation.

I did the same ( I think) and got the same result. ( no, this is not a quote by Albert Einstein )

But you had  "cleared the Secure Boot data" ( 03-31-2021 12:43 AM ) before.

 

I think Intel can at least add a Disable Secure Boot option in the Power Button menu, (maybe active only with the Security Jumper removed). Then we can see, what's wrong and maybe fix it.

 

Maybe someone can pass these results to the Intel development team ?

 

I could return the bricked NUC to the shop, but I still hope I can fix it.

 

Hans

Reply