Kenneth,

Thanks for for the answer. I tried this, and unfortunately it did not work. I'm not sure what reference document the information stating with "In implementation, PCSD ...." came from, but based on that, it seems like I can't change the PK (this is the key I want to overwrite) because the current PK that's installed is an Intel Key (2AE721F4-F17a-4023-972c-4f337ad58644, subject: CN=CN = Intel(R) PCSD Greenlow-R Product BIOS Platform Key O=Intel Corporation, OU=,). So, according to 9.4.3.4 I'm not going to be able to change the PK because I don't have the this Intel Key to sign the PK I want installed.

I was able to run syscfg and did test other commands so syscfg did appear to run (I was running it as an EFI). However, when I tried:

syscfg /securebookey "pass" overwrite PK fs0:\PK.(esl/auth/crt/cert) (I tried multiple formats), it said:

Updating secure boot key of PK...

ERROR. Change BIOS setting failed. It may be caused by invalid data in the switch parameter.

Looking at the UEFI specification version 2.7, section 31.3.2 "Clearing the Platform Key" it seems to indicate there are two methods:

1. Signing a new PK with the existing PK. This would make sense and is perhaps the /securebootkey overwrite method in syscfg.

2. "The platform key may also be cleared using a secure platform-specific method." I believe on Intel UEFI Firmware for a NUC there are options to clear the PK from the firmware.

So I guess my questions are:

1. Is there a method to clear the PK using the existing firmware or another Intel provided firmware for this Intel Server Board?

2. If not, can it be added?

Thank you again,

Josh

Hi,

 

 

Thanks for your feedback, in response to your comments.

 

 

I would like to replicate this myself to see what results I get because it make no sense syscfg should provide the keys needed t complete the opwration, anyway I'm also interested in knowing what is the big picture here, what is the final goal for which you need to overwrite the keys? that way maybe we can figure a workaround, if that's OK I've sent an email to your address for you to reply with your contact information and timezone in case we need to reach you back in that way, while I'm working in the replication.

 

 

I'll stay tuned to your comments, best regards.

 

 

Ken

Thanks again,

The end goal is to enable UEFI secure boot. The OS is a custom Linux kernel and rootfs, essentially a custom distro. This application for this server is very static and controlled. My assumption was from working with desktop UEFIs was that I could clear the PK, but this might not be the case. This would have been ideal as the boot process would have been: UEFI Firmware -> my signed Kernel EFI stub.

I did also notice there is a microsoft key in the KEK database. Perhaps I can use the Linux Foundation signed Preloader & shim (assuming it's the same key). In this case, there is more boot layers (UEFI Firmware -> preloader -> shim -> kernel I think). This could work, but the extra layers of indirection are not beneficial in the use case we have. It is however, probably better then disabling UEFI secure boot.

I tired the PreLoader, with secure boot, from UEFI shell but it did not immediately work however, I may not have invoked it correctly. I can give that another try.

Josh

Hello Josh,

 

 

I just want to let you know we're still working on your case, I would like to know how it went after your last try, is there any difference?

 

 

Please let me know so we can update our scenario.

 

 

Regards.

 

 

Ken

Ken,

Thanks for the update. I am not able to clear the platform key. I haven't yet tried removing the SPI flash and tweaking that directly though. What I want to try is to manipulate the PK's GUID to make it look like the PK isn't there. Not sure if this will work though.

Because of the MFST key in the KEK, I can perform the following:

Firmware->PreLoader (from the Linux Foundation, signed by MFST)->custom software.

This is the best we can do without clearing the platform key, which is better than not having secure boot.

Josh

Understood Josh,

 

 

Thanks for the heads up, I'mm trying to have this replicated and also digging trough the documentation, if you have any more information as result of your testing please let me know, I'll reach back at you as soon as I have something else.

 

 

Ken

We have the same problem as described in the original message.

We are also interested in using secure boot to protect the boot-process of our appliances. All our appliances run the same Linux kernel, and that Linux kernel is the only thing the appliance should run, so it makes sense to set up our own PKI infrastructure for signing.

I am currently testing with a S1200SP (R1304SPOSHORR) with BIOS version S1200SP.86B.03.01.0038.062620180344.

When I booted the system for the first time, it was in Setup Mode. This would have been a good moment to install our own PK. After enabling secure mode, the default Intel and Microsoft keys were installed.

When I disabled secure boot again, the Intel PK was still there and there doesn't seem to be a way to remove that key to return to Setup Mode. (according to most Google hits, there should be an option to clear all secure mode keys, or an option to force Setup Mode)

Is there a way to remove the key and/or do a factory reset of the whole system?

Hello B.vanSisseren,

 

 

Hope you are doing fine.

 

We will kindly as you to create a new case or thread under your name as the resolution needs to contact you directly.

 

Please let us know if it possible.

 

Thank you.

 

 

Regards,

 

 

Charlie_Intel