https://packages.debian.org/bookworm/shim-helpers-amd64-signed
/usr/lib/shim/fbx64.efi.signed /usr/lib/shim/mmx64.efi.signed
https://packages.debian.org/bookworm/shim-signed
/usr/lib/shim/shimx64.efi.signed
dpkg -x shim-helpers-amd64-signed_1+15.7+1_amd64.deb shim
dpkg -x shim-signed_1.40+15.7-1_amd64.deb
cd shim/usr/lib/shim/
ls
fbx64.efi.signed mmx64.efi.signed shimx64.efi.signed
mv fbx64.efi.signed fbx64.efi && mv mmx64.efi.signed mmx64.efi && mv shimx64.efi.signed shimx64.efi
ls
fbx64.efi mmx64.efi shimx64.efi
sudo cp * /efi/EFI/systemd/
debian shim is looking for grubx6.efi in the same directory
cp systemd-bootx64.efi grubx64.efi
next time you boot it will load mok(machine owner key) manager mmx64.efi
select enroll hash and browse to two files one by one
../systemd/grubx64.efi
/efi/xxxxxxxx/linux [maybe not needed for debian?]
after reboot secure boot is working
add bios password to lock settings and extra security
https://packages.debian.org/bookworm/mokutil
The Platform Keys (PK) represent the manufacturer of the platform:
sudo mokutil --pk | grep '\(^\[key\|CN\)'
[key 1]
Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Platform Key
Subject: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Platform Key
Only owners of Key Exchange Keys (KEK) are allowed to modify the key
database:
sudo mokutil --kek | grep '\(^\[key\|CN\)'
[key 1]
Issuer: C=Key Exchange Key, CN=Key Exchange Key
Subject: C=Key Exchange Key, CN=Key Exchange Key
[key 2]
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
The Database (DB) of keys (and hashes) contains keys to validate later stages in the boot process:
sudo mokutil --db | grep '\(^[ \t]*\[\|CN\)'
[key 1]
Issuer: C=Database Key, CN=Database Key
Subject: C=Database Key, CN=Database Key
[key 2]
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
[key 3]
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
[key 2] The Microsoft Corporation Third Party Marketplace Root certificate
is used to sign shim
Revocation List (DBX) of keys (and hashes)
sudo mokutil --dbx
mokutil --import <hash_value>
sudo mokutil --reset
https://wiki.debian.org/SecureBoot
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
Comments
Post a Comment