docs: add precision about dbx and OptionROMs
This commit is contained in:
parent
dc52f0352d
commit
b673e1b71f
|
@ -269,12 +269,14 @@ entry in the systemd-boot boot menu. Once you are in the BIOS menu:
|
|||
2. Select the "Secure Boot" entry.
|
||||
3. Set "Secure Boot" to enabled.
|
||||
4. Select "Reset to Setup Mode".
|
||||
5. Select "Clear All Secure Boot Keys".
|
||||
|
||||
When you are done, press F10 to save and exit.
|
||||
|
||||
You can see these steps as a video [here](https://www.youtube.com/watch?v=aLuCAh7UzzQ).
|
||||
|
||||
> ⚠️ Do not select "Clear All Secure Boot Keys" as it will drop the Forbidden
|
||||
> Signature Database (dbx).
|
||||
|
||||
### Enrolling Keys
|
||||
|
||||
Once you've booted your system into NixOS again, you have to enroll
|
||||
|
@ -288,8 +290,14 @@ With vendor keys from microsoft...✓
|
|||
Enrolled keys to the EFI variables!
|
||||
```
|
||||
|
||||
> ⚠️ During boot, some hardware might include OptionROMs signed with
|
||||
> Microsoft keys.
|
||||
> By using the `--microsoft`, we enroll the Microsoft OEM certificates.
|
||||
> Another more experimental option would be to enroll OptionROMs checksum seen
|
||||
> at last boot using `--tpm-eventlog`, but these checksums might change later.
|
||||
|
||||
You can now reboot your system. After you've booted, Secure Boot is
|
||||
activated:
|
||||
activated and in user mode:
|
||||
|
||||
```console
|
||||
$ bootctl status
|
||||
|
@ -301,6 +309,14 @@ System:
|
|||
Boot into FW: supported
|
||||
```
|
||||
|
||||
> ⚠️ If you used `--microsoft` while enrolling the keys, you might want
|
||||
> to check that the Secure Boot Forbidden Signature Database (dbx) is not
|
||||
> empty.
|
||||
> A quick and dirty way is by checking the file size of
|
||||
> `/sys/firmware/efi/efivars/dbx-*`.
|
||||
> Keeping an up to date dbx reduces Secure Boot bypasses, see for example:
|
||||
> <https://uefi.org/sites/default/files/resources/dbx_release_info.pdf>.
|
||||
|
||||
That's all! 🥳
|
||||
|
||||
## Troubleshooting
|
||||
|
|
Loading…
Reference in New Issue