From b673e1b71fbdb8c025b3ba52ed4250630d6eb650 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 25 May 2023 08:52:36 +0200 Subject: [PATCH] docs: add precision about dbx and OptionROMs --- docs/QUICK_START.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/QUICK_START.md b/docs/QUICK_START.md index 555a1ca..9007d19 100644 --- a/docs/QUICK_START.md +++ b/docs/QUICK_START.md @@ -269,12 +269,14 @@ entry in the systemd-boot boot menu. Once you are in the BIOS menu: 2. Select the "Secure Boot" entry. 3. Set "Secure Boot" to enabled. 4. Select "Reset to Setup Mode". -5. Select "Clear All Secure Boot Keys". When you are done, press F10 to save and exit. You can see these steps as a video [here](https://www.youtube.com/watch?v=aLuCAh7UzzQ). +> ⚠️ Do not select "Clear All Secure Boot Keys" as it will drop the Forbidden +> Signature Database (dbx). + ### Enrolling Keys Once you've booted your system into NixOS again, you have to enroll @@ -288,8 +290,14 @@ With vendor keys from microsoft...✓ Enrolled keys to the EFI variables! ``` +> ⚠️ During boot, some hardware might include OptionROMs signed with +> Microsoft keys. +> By using the `--microsoft`, we enroll the Microsoft OEM certificates. +> Another more experimental option would be to enroll OptionROMs checksum seen +> at last boot using `--tpm-eventlog`, but these checksums might change later. + You can now reboot your system. After you've booted, Secure Boot is -activated: +activated and in user mode: ```console $ bootctl status @@ -301,6 +309,14 @@ System: Boot into FW: supported ``` +> ⚠️ If you used `--microsoft` while enrolling the keys, you might want +> to check that the Secure Boot Forbidden Signature Database (dbx) is not +> empty. +> A quick and dirty way is by checking the file size of +> `/sys/firmware/efi/efivars/dbx-*`. +> Keeping an up to date dbx reduces Secure Boot bypasses, see for example: +> . + That's all! 🥳 ## Troubleshooting