Skip to main content

shim-signed for systemd-boot-efi in debian without grub

 

 

https://packages.debian.org/bookworm/shim-helpers-amd64-signed

/usr/lib/shim/fbx64.efi.signed
/usr/lib/shim/mmx64.efi.signed

 https://packages.debian.org/bookworm/shim-signed

/usr/lib/shim/shimx64.efi.signed
 
dpkg -x shim-helpers-amd64-signed_1+15.7+1_amd64.deb shim
dpkg -x shim-signed_1.40+15.7-1_amd64.deb

cd shim/usr/lib/shim/ 
ls 
fbx64.efi.signed  mmx64.efi.signed  shimx64.efi.signed 
mv fbx64.efi.signed fbx64.efi && mv mmx64.efi.signed mmx64.efi && mv shimx64.efi.signed shimx64.efi

 ls
fbx64.efi  mmx64.efi  shimx64.efi


sudo  cp *  /efi/EFI/systemd/

 

debian shim is looking for grubx6.efi  in the same directory

cp systemd-bootx64.efi grubx64.efi


next time you boot it will load mok(machine owner key)  manager mmx64.efi

select enroll hash and browse to two files one by one 

../systemd/grubx64.efi  

/efi/xxxxxxxx/linux    [maybe not needed for debian?]

 

after reboot secure boot is working 

add bios password to lock settings and extra security

 

https://packages.debian.org/bookworm/mokutil

 

 

The Platform Keys (PK) represent the manufacturer of the platform:

sudo mokutil --pk | grep '\(^\[key\|CN\)'
[key 1]
        Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Platform Key
        Subject: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Platform Key
 

Only owners of Key Exchange Keys (KEK) are allowed to modify the key database:

 sudo mokutil --kek | grep '\(^\[key\|CN\)'
[key 1]
        Issuer: C=Key Exchange Key, CN=Key Exchange Key
        Subject: C=Key Exchange Key, CN=Key Exchange Key
[key 2]
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
 

The Database (DB) of keys (and hashes) contains keys to validate later stages in the boot process:

 sudo mokutil --db | grep '\(^[ \t]*\[\|CN\)'
[key 1]
        Issuer: C=Database Key, CN=Database Key
        Subject: C=Database Key, CN=Database Key
[key 2]
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
[key 3]
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011

 

 [key 2] The Microsoft Corporation Third Party Marketplace Root certificate

is used to sign shim

 

Revocation List (DBX) of keys (and hashes) 

sudo mokutil --dbx
 
 
mokutil --import <hash_value>
 
 
sudo mokutil --reset
  

 

 

https://wiki.debian.org/SecureBoot

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

 

 

 

 

 

Comments

Post a Comment

Popular posts from this blog

sxhkd volume andbrightness config for dwm on void

xbps-install  sxhkd ------------ mkdir .config/sxhkd cd .config/sxhkd nano/vim sxhkdrc -------------------------------- XF86AudioRaiseVolume         amixer -c 1 -- sset Master 2db+ XF86AudioLowerVolume         amixer -c 1 -- sset Master 2db- XF86AudioMute         amixer -c 1 -- sset Master toggle alt + shift + Escape         pkill -USR1 -x sxhkd XF86MonBrightnessUp          xbacklight -inc 20 XF86MonBrightnessDown          xbacklight -dec 20 ------------------------------------------------------------- amixer -c card_no -- sset Interface volume run alsamixer to find card no and interface names xbps-install -S git git clone https://git.suckless.org/dwm xbps-install -S base-devel libX11-devel libXft-devel libXinerama-devel  vim config.mk # FREETYPEINC = ${X11INC}/freetype2 #comment for non-bsd make clean install   cp config.def.h config.h vim config.h xbps-install -S font-symbola #for emoji on statusbar support     void audio config xbps-i
1 comment
Read more

Hidden Wiki

Welcome to The Hidden Wiki New hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!! Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it. The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with. Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction Points Ahmia.fi - Clearnet search engine for Tor Hidden Services (allows you
5 comments
Read more

download office 2021 and activate

get office from here  https://tb.rg-adguard.net/public.php open powershell as admin (win+x and a ) type cmd  goto insall dir 1.         cd /d %ProgramFiles(x86)%\Microsoft Office\Office16 2.           cd /d %ProgramFiles%\Microsoft Office\Office16 try 1 or 2 depending on installation  install volume license  for /f %x in ('dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-ms') do cscript ospp.vbs /inslic:"..\root\Licenses16\%x" activate using kms cscript ospp.vbs /setprt:1688 cscript ospp.vbs /unpkey:6F7TH >nul cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7TH cscript ospp.vbs /sethst:s8.uk.to cscript ospp.vbs /act Automatic script (windefender may block it) ------------------------------------------------------------------------------------------------------------------- @echo off title Activate Microsoft Office 2021 (ALL versions) for FREE - MSGuides.com&cls&echo =====================================================================================&
Post a Comment
Read more