docs: add precision about dbx and OptionROMs

This commit is contained in:
Alexandre Iooss 2023-05-25 08:52:36 +02:00
parent dc52f0352d
commit b673e1b71f
1 changed files with 18 additions and 2 deletions

View File

@ -269,12 +269,14 @@ entry in the systemd-boot boot menu. Once you are in the BIOS menu:
2. Select the "Secure Boot" entry.
3. Set "Secure Boot" to enabled.
4. Select "Reset to Setup Mode".
5. Select "Clear All Secure Boot Keys".
When you are done, press F10 to save and exit.
You can see these steps as a video [here](https://www.youtube.com/watch?v=aLuCAh7UzzQ).
> ⚠️ Do not select "Clear All Secure Boot Keys" as it will drop the Forbidden
> Signature Database (dbx).
### Enrolling Keys
Once you've booted your system into NixOS again, you have to enroll
@ -288,8 +290,14 @@ With vendor keys from microsoft...✓
Enrolled keys to the EFI variables!
```
> ⚠️ During boot, some hardware might include OptionROMs signed with
> Microsoft keys.
> By using the `--microsoft`, we enroll the Microsoft OEM certificates.
> Another more experimental option would be to enroll OptionROMs checksum seen
> at last boot using `--tpm-eventlog`, but these checksums might change later.
You can now reboot your system. After you've booted, Secure Boot is
activated:
activated and in user mode:
```console
$ bootctl status
@ -301,6 +309,14 @@ System:
Boot into FW: supported
```
> ⚠️ If you used `--microsoft` while enrolling the keys, you might want
> to check that the Secure Boot Forbidden Signature Database (dbx) is not
> empty.
> A quick and dirty way is by checking the file size of
> `/sys/firmware/efi/efivars/dbx-*`.
> Keeping an up to date dbx reduces Secure Boot bypasses, see for example:
> <https://uefi.org/sites/default/files/resources/dbx_release_info.pdf>.
That's all! 🥳
## Troubleshooting