Merge pull request #186 from erdnaxe/docs_update

docs: add precision about dbx and OptionROMs
2023-05-27 12:14:02 +02:00 · 2023-05-27 12:14:02 +02:00 · f641dcfc8b
parent dc52f0352d b673e1b71f
commit f641dcfc8b
1 changed files with 18 additions and 2 deletions
--- a/docs/QUICK_START.md
+++ b/docs/QUICK_START.md
@ -269,12 +269,14 @@ entry in the systemd-boot boot menu. Once you are in the BIOS menu:
 2. Select the "Secure Boot" entry.
 3. Set "Secure Boot" to enabled.
 4. Select "Reset to Setup Mode".
-5. Select "Clear All Secure Boot Keys".

 When you are done, press F10 to save and exit.

 You can see these steps as a video [here](https://www.youtube.com/watch?v=aLuCAh7UzzQ).

+> ⚠️ Do not select "Clear All Secure Boot Keys" as it will drop the Forbidden
+> Signature Database (dbx).
+
 ### Enrolling Keys

 Once you've booted your system into NixOS again, you have to enroll
@ -288,8 +290,14 @@ With vendor keys from microsoft...✓
 Enrolled keys to the EFI variables!
 ```

+> ⚠️ During boot, some hardware might include OptionROMs signed with
+> Microsoft keys.
+> By using the `--microsoft`, we enroll the Microsoft OEM certificates.
+> Another more experimental option would be to enroll OptionROMs checksum seen
+> at last boot using `--tpm-eventlog`, but these checksums might change later.
+
 You can now reboot your system. After you've booted, Secure Boot is
-activated:
+activated and in user mode:

 ```console
 $ bootctl status
@ -301,6 +309,14 @@ System:
  Boot into FW: supported
 ```

+> ⚠️  If you used `--microsoft` while enrolling the keys, you might want
+> to check that the Secure Boot Forbidden Signature Database (dbx) is not
+> empty.
+> A quick and dirty way is by checking the file size of
+> `/sys/firmware/efi/efivars/dbx-*`.
+> Keeping an up to date dbx reduces Secure Boot bypasses, see for example:
+> <https://uefi.org/sites/default/files/resources/dbx_release_info.pdf>.
+
 That's all! 🥳

 ## Troubleshooting