docs: add precision about dbx and OptionROMs
This commit is contained in:
parent
dc52f0352d
commit
b673e1b71f
|
@ -269,12 +269,14 @@ entry in the systemd-boot boot menu. Once you are in the BIOS menu:
|
||||||
2. Select the "Secure Boot" entry.
|
2. Select the "Secure Boot" entry.
|
||||||
3. Set "Secure Boot" to enabled.
|
3. Set "Secure Boot" to enabled.
|
||||||
4. Select "Reset to Setup Mode".
|
4. Select "Reset to Setup Mode".
|
||||||
5. Select "Clear All Secure Boot Keys".
|
|
||||||
|
|
||||||
When you are done, press F10 to save and exit.
|
When you are done, press F10 to save and exit.
|
||||||
|
|
||||||
You can see these steps as a video [here](https://www.youtube.com/watch?v=aLuCAh7UzzQ).
|
You can see these steps as a video [here](https://www.youtube.com/watch?v=aLuCAh7UzzQ).
|
||||||
|
|
||||||
|
> ⚠️ Do not select "Clear All Secure Boot Keys" as it will drop the Forbidden
|
||||||
|
> Signature Database (dbx).
|
||||||
|
|
||||||
### Enrolling Keys
|
### Enrolling Keys
|
||||||
|
|
||||||
Once you've booted your system into NixOS again, you have to enroll
|
Once you've booted your system into NixOS again, you have to enroll
|
||||||
|
@ -288,8 +290,14 @@ With vendor keys from microsoft...✓
|
||||||
Enrolled keys to the EFI variables!
|
Enrolled keys to the EFI variables!
|
||||||
```
|
```
|
||||||
|
|
||||||
|
> ⚠️ During boot, some hardware might include OptionROMs signed with
|
||||||
|
> Microsoft keys.
|
||||||
|
> By using the `--microsoft`, we enroll the Microsoft OEM certificates.
|
||||||
|
> Another more experimental option would be to enroll OptionROMs checksum seen
|
||||||
|
> at last boot using `--tpm-eventlog`, but these checksums might change later.
|
||||||
|
|
||||||
You can now reboot your system. After you've booted, Secure Boot is
|
You can now reboot your system. After you've booted, Secure Boot is
|
||||||
activated:
|
activated and in user mode:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ bootctl status
|
$ bootctl status
|
||||||
|
@ -301,6 +309,14 @@ System:
|
||||||
Boot into FW: supported
|
Boot into FW: supported
|
||||||
```
|
```
|
||||||
|
|
||||||
|
> ⚠️ If you used `--microsoft` while enrolling the keys, you might want
|
||||||
|
> to check that the Secure Boot Forbidden Signature Database (dbx) is not
|
||||||
|
> empty.
|
||||||
|
> A quick and dirty way is by checking the file size of
|
||||||
|
> `/sys/firmware/efi/efivars/dbx-*`.
|
||||||
|
> Keeping an up to date dbx reduces Secure Boot bypasses, see for example:
|
||||||
|
> <https://uefi.org/sites/default/files/resources/dbx_release_info.pdf>.
|
||||||
|
|
||||||
That's all! 🥳
|
That's all! 🥳
|
||||||
|
|
||||||
## Troubleshooting
|
## Troubleshooting
|
||||||
|
|
Loading…
Reference in New Issue