Hi Ronny, thanks for the reply. Sorry, but this is not what I'm asking. I am asking for specific instructions for loading custom secure boot keys into the NUC. You can use NUC8i7HVB as a proxy for the model number since I use many NUCs. Clearly the NUC BIOS intends to support this ability, but I have no idea how to actually load my custom PK, KEK, and db into the NUC.

Thanks for the help,

Mike

I would also be interested in knowing the outcome of this discussion.

I should have asked or read this first.

Looks like I broke my NUC8i7HVK: replaced the keys using Linux efitools, signed my boot efi's and enabled SecureBoot.

Now I cannot even get into the BIOS. It seems it tries to do something with the display, but nothing is visible.

This "Hades Canyon completely bricked after enabling Secure Boot"  does not look very promising.

Any ideas how to fix it?
I had saved the original keys, I think. But since I cannot get a Visual BIOS I cannot do anything.

I even do not know, what's the current state.

Hans

Did you ever find a solution to this?

No, I only replaced my broken NUC8 with another.

I'm quite confident I'd dead-lock it again if I try the same.

A BIOS update to fix this would be great, but I do not expect anything as it's probably too old, now.

Never get an Intel again, I'd say.

Hans

Still no answer from Intel.

I'd not recommend trying this without confirmation that it can work.

The risk is that you cannot access the Visual BIOS anymore after replacing the keys and enabling Secure Boot: effectively a dead-lock, because you need the Visual BIOS to disable Secure Boot.

Intel: is this question still being researched ?

Hans

For those with "bricked" NUCs... have you tried to access the BIOS using the power button?

1. Make sure the system is off, and not in Hibernate or Sleep mode.
2. Press the power button and hold it down for three seconds and release it.  The power button menu should display.
   Tip: If the system boots to the OS after trying this procedure then you didn't hold the button quite long enough. If the system simply shuts down after trying this procedure, then you held the button too long (longer than 4 seconds).
3. Press F2 to enter BIOS Setup.

https://www.intel.com/content/www/us/en/support/articles/000005847/intel-nuc.html

I'm dealing with a related problem.

@MikeAnt 

See "NUC8i7HVK: replaced secure boot keys (PK, KEK, db), now fails to boot" for what I tried.

I still want to try the same with a Windows-formatted USB stick as Leon suggested. If that does not help, I'll probably go for a replacement.

I wonder, what Intel will do when they get the machine. I guess they have lower-level tools to replace the BIOS with a pristine one (i.e. the original keys).

I'm surprised there's no method to disable Secure Boot in Configuration Mode: i.e. with the Security Jumper removed.

( If such a method exists, please tell me! )

Physically removing the jumper is not something a remote hacker can do, so it would not affect Secure Boot in any way.

My last action before the HDMI display went silent was turning on Secure Boot, so reverting that would probably resolve the issue for now.

NOTE: I mean disabling Secure Boot without anything visible on the HDMI display.

Regards,

Hans

It looks like the NUC's Visual BIOS is a no go for installing custom Secure Boot keys.

There is no "import" function (or it must be hidden very well!)

I had some level of success with KeyTool by following this wiki https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#keytool.

I was able to import the DB and KEK, but my PK don't have the ".auth" format required by KeyTool. In my case, I only have the public part of the PK, and I may need the private part to generate the .auth file. 

The process I followed is (on my Fedora 33):

1. Prepare a USB formatted in FAT32 or ExFat (you can also use the boot partition for this, whatever is more confortable)

2. Install efitools: dnf install efitools

3. Copy the /usr/share/efitools/efi/KeyTool.efi into the prepared USB

4. Copy your Secure Boot keys into the USB: KEK and DB must have ".cer" extension, or KeyTool will ignore them. PK must have ".auth" extension. The instructions on how to generate this are in the previously shared link.

5. Reboot and open the Visual BIOS. It is easier if you just set "BIOS Setup Auto-Entry" at this point, because there are several reboots required

6. First we need the platform in Setup Mode. You do this by enabling Secure Boot, and selecting Clear Secure Boot Data. Then, reboot and open the Visual BIOS

7. Now we need to disable Secure Boot in order to enable the Internal EFI Shell. so, disable Secure Boot, then reboot and open the Visual BIOS

8. Now, enable the Internal EFI Shell, then reboot and open the Visual BIOS

9. Select the Internal EFI Shell as the next boot device, and proceed to boot into it.

10. In the Internal EFI Shell, search your prepared USB drive (e.g. ls fs0, ls fs1), and move to it (e.g. fs3:)

11. Run the KeyTool.efi. Follow the menus to import DB, KEK, and PK. Remember that they must be in ".cer" and ".auth" format otherwise Keytool will ignore them

12. Once completed, reboot.

From here you can boot into a Linux OS and run "mokutil --pk", "mokutil --kek", "mokutil --db" to verify that your keys are installed, and use pesign or sbsign to verify that your bootloaders are signed with the correct cert before enabling secure boot. I think it is more easy to use Machine Owner Keys for your kernel (which is a much better documented process). 

As I said before, I did not have my PK in ".auth" format, so I was only able to install and verify the KEK and DB. But it looks promising. If somebody make this works, please share!

@Nicolas_O_Intel 

I think, after step 11,12 you are one step away from where I am in "NUC8i7HVK: replaced secure boot keys (PK, KEK, db), now fails to boot".

I mean, if you now enable Secure Boot in the Visual BIOS I guess you cannot use the Visual BIOS anymore, because it does not have the private key to access the HDMI port or the GPU : i.e. effectively a dead-lock.

Unless Intel provides a way to disable Secure Boot without access to the HDMI display I'd not recommend to try this.

Note that I'm not sure about the state of my NUC8i7HVK, because I do not see anything on the display anymore.

Maybe you can still reload the original keys in the BIOS to prevent the dead-lock ?

Regards,

Hans

@Nicolas_O_Intel 

Just curious: did it work ?

I mean, are you running Secure Boot with the your own keys ?

Hans

@Hans_Bausewein 

I enabled secure boot, and now my NUC does not boot anymore

I think there was no error on my end when generating and installing the keys, and I verified that everything was installed with Mokutils (I was able to see my keys installed there). I was expecting a "Secure Boot violation" screen because I did not sign my bootloader for Secure Boot, but instead I have no video output.

My NUCs are development system, so no data loss for me. I tried the following, and nothing worked:

1. Removing Security Jumper

2. Disconnecting CMOS battery

3. Diverse BIOS Recovery options (F7, Power Button)

I may be able to dig a little bit further. 

@Nicolas_O_Intel 

Thanks very much for confirming my expectation.

I did the same ( I think) and got the same result. ( no, this is not a quote by Albert Einstein )

But you had  "cleared the Secure Boot data" ( 03-31-2021 12:43 AM ) before.

I think Intel can at least add a Disable Secure Boot option in the Power Button menu, (maybe active only with the Security Jumper removed). Then we can see, what's wrong and maybe fix it.

Maybe someone can pass these results to the Intel development team ?

I could return the bricked NUC to the shop, but I still hope I can fix it.

Hans

are there any updates to this?  I would like to install my own PK, KEK, and DB but I don't want to brick my NUC.  Right now my secure boot environment is in "Setup" mode.