Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Novice
5,106 Views

How to clear UEFI secure boot keys (or enter Setup Mode) on S1200SPO

I have a S1200SPO with a Xeon E3-1270v6 with versions:

IFWI: S1200SP.86B.BR.64.2017.39.3.01.0729.selfboot

BIOS: S1200SP.86B.03.01.0026.092720170729

I'd like to clear the installed UEFI secure boot keys, which requires entering Setup Mode. I can't seem to enter Setup Mode. Under Boot Maintenance Manager, under secure boot, all I can do is enable or disable secure boot. I'm using the KeyTool.efi (part of efitools) and I can verify that the board is in User Mode, which doesn't allow me to clear the PK.

Is there a way to do this from the BIOS? (maybe a different BIOS version?)

Can I do this somehow by modifying SPI flash directly? I have access to the board and tools to read/write SPI flash.

Thanks,

Josh

0 Kudos
9 Replies
Highlighted
Community Manager
660 Views

Hello jbdatko,

 

 

Thank you for calling Intel Customer Support, sorry for the delay on this one.

 

 

In regards to your question. Configuration and usage of Secure boot can be done through Syscfg utility.

 

 

https://downloadcenter.intel.com/download/26971/Save-and-Restore-System-Configuration-Utility-syscfg... Secure Boot Keys settings are described in section 4.3.9 of user guide

 

Please also see below information for Secure Boot features listed:

In implementation, PCSD BIOS provisions the keys for the first time user chooses UEFI boot mode and enable UEFI secure boot in Setup mode. When new BIOS capsule release contains new keys (in case there is private key compromise or known security vulnerability with previous signatures):

•In case user has already done the provision (i.e. once enabled UEFI secure boot), the

new keys will NOT be provisioned and old keys still take effect. It is mandatory to use method described in section 9.4.3.4 to update those keys.

•In case user has not yet done the provision (i.e. never enabled UEFI secure boot

before), the new keys will be provisioned and take effect.

9.4.3.4 Secure Boot Keys Update

After secure boot key has been provisioned after product launch, there are chances that these keys are required to be updated in an authenticated way so that user can replace obsoleted and compromised keys.

PCSD product BIOS does not support "custom mode" to update key variables (PK, KEY, DB & DBX) without authentication. This means that the key must be authenticated strictly according to UEFI specification requirement whenever UEFI secure boot is enabled or disabled:

PCSD product BIOS provides BIOS interfaces to enable System Configuration (SysCfg) utility to update these keys in authenticated way with /securebootkey command. For more details, please refer to the latest System Configuration Utility User Guide.

I hope this answers to your questions, or if further assistance is needed, anyway, please elt me know, I'll stay tuned to your comments.

 

 

Regards.

 

 

Kenneth R.

 

Intel Customer Support
0 Kudos
Highlighted
Novice
660 Views

Kenneth,

Thanks for for the answer. I tried this, and unfortunately it did not work. I'm not sure what reference document the information stating with "In implementation, PCSD ...." came from, but based on that, it seems like I can't change the PK (this is the key I want to overwrite) because the current PK that's installed is an Intel Key (2AE721F4-F17a-4023-972c-4f337ad58644, subject: CN=CN = Intel(R) PCSD Greenlow-R Product BIOS Platform Key O=Intel Corporation, OU=,). So, according to 9.4.3.4 I'm not going to be able to change the PK because I don't have the this Intel Key to sign the PK I want installed.

I was able to run syscfg and did test other commands so syscfg did appear to run (I was running it as an EFI). However, when I tried:

syscfg /securebookey "pass" overwrite PK fs0:\PK.(esl/auth/crt/cert) (I tried multiple formats), it said:

Updating secure boot key of PK...

ERROR. Change BIOS setting failed. It may be caused by invalid data in the switch parameter.

Looking at the UEFI specification version 2.7, section 31.3.2 "Clearing the Platform Key" it seems to indicate there are two methods:

1. Signing a new PK with the existing PK. This would make sense and is perhaps the /securebootkey overwrite method in syscfg.

2. "The platform key may also be cleared using a secure platform-specific method." I believe on Intel UEFI Firmware for a NUC there are options to clear the PK from the firmware.

So I guess my questions are:

1. Is there a method to clear the PK using the existing firmware or another Intel provided firmware for this Intel Server Board?

2. If not, can it be added?

Thank you again,

Josh

0 Kudos
Highlighted
Community Manager
660 Views

Hi,

 

 

Thanks for your feedback, in response to your comments.

 

 

I would like to replicate this myself to see what results I get because it make no sense syscfg should provide the keys needed t complete the opwration, anyway I'm also interested in knowing what is the big picture here, what is the final goal for which you need to overwrite the keys? that way maybe we can figure a workaround, if that's OK I've sent an email to your address for you to reply with your contact information and timezone in case we need to reach you back in that way, while I'm working in the replication.

 

 

I'll stay tuned to your comments, best regards.

 

 

Ken
0 Kudos
Highlighted
Novice
660 Views

Thanks again,

The end goal is to enable UEFI secure boot. The OS is a custom Linux kernel and rootfs, essentially a custom distro. This application for this server is very static and controlled. My assumption was from working with desktop UEFIs was that I could clear the PK, but this might not be the case. This would have been ideal as the boot process would have been: UEFI Firmware -> my signed Kernel EFI stub.

I did also notice there is a microsoft key in the KEK database. Perhaps I can use the Linux Foundation signed Preloader & shim (assuming it's the same key). In this case, there is more boot layers (UEFI Firmware -> preloader -> shim -> kernel I think). This could work, but the extra layers of indirection are not beneficial in the use case we have. It is however, probably better then disabling UEFI secure boot.

I tired the PreLoader, with secure boot, from UEFI shell but it did not immediately work however, I may not have invoked it correctly. I can give that another try.

Josh

0 Kudos
Highlighted
Community Manager
660 Views

Hello Josh,

 

 

I just want to let you know we're still working on your case, I would like to know how it went after your last try, is there any difference?

 

 

Please let me know so we can update our scenario.

 

 

Regards.

 

 

Ken
0 Kudos
Highlighted
Novice
660 Views

Ken,

Thanks for the update. I am not able to clear the platform key. I haven't yet tried removing the SPI flash and tweaking that directly though. What I want to try is to manipulate the PK's GUID to make it look like the PK isn't there. Not sure if this will work though.

Because of the MFST key in the KEK, I can perform the following:

Firmware->PreLoader (from the Linux Foundation, signed by MFST)->custom software.

This is the best we can do without clearing the platform key, which is better than not having secure boot.

Josh

0 Kudos
Highlighted
Community Manager
660 Views

Understood Josh,

 

 

Thanks for the heads up, I'mm trying to have this replicated and also digging trough the documentation, if you have any more information as result of your testing please let me know, I'll reach back at you as soon as I have something else.

 

 

Ken
0 Kudos
Highlighted
Beginner
660 Views

We have the same problem as described in the original message.

We are also interested in using secure boot to protect the boot-process of our appliances. All our appliances run the same Linux kernel, and that Linux kernel is the only thing the appliance should run, so it makes sense to set up our own PKI infrastructure for signing.

I am currently testing with a S1200SP (R1304SPOSHORR) with BIOS version S1200SP.86B.03.01.0038.062620180344.

When I booted the system for the first time, it was in Setup Mode. This would have been a good moment to install our own PK. After enabling secure mode, the default Intel and Microsoft keys were installed.

When I disabled secure boot again, the Intel PK was still there and there doesn't seem to be a way to remove that key to return to Setup Mode. (according to most Google hits, there should be an option to clear all secure mode keys, or an option to force Setup Mode)

Is there a way to remove the key and/or do a factory reset of the whole system?

0 Kudos
Highlighted
Community Manager
660 Views

Hello B.vanSisseren,

 

 

Hope you are doing fine.

 

We will kindly as you to create a new case or thread under your name as the resolution needs to contact you directly.

 

Please let us know if it possible.

 

Thank you.

 

 

Regards,

 

 

Charlie_Intel

 

0 Kudos