Merge pull request #186 from erdnaxe/docs_update

docs: add precision about dbx and OptionROMs
This commit is contained in:
Julian Stecklina 2023-05-27 12:14:02 +02:00 committed by GitHub
commit f641dcfc8b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 2 deletions

View File

@ -269,12 +269,14 @@ entry in the systemd-boot boot menu. Once you are in the BIOS menu:
2. Select the "Secure Boot" entry.
3. Set "Secure Boot" to enabled.
4. Select "Reset to Setup Mode".
5. Select "Clear All Secure Boot Keys".
When you are done, press F10 to save and exit.
You can see these steps as a video [here](https://www.youtube.com/watch?v=aLuCAh7UzzQ).
> ⚠️ Do not select "Clear All Secure Boot Keys" as it will drop the Forbidden
> Signature Database (dbx).
### Enrolling Keys
Once you've booted your system into NixOS again, you have to enroll
@ -288,8 +290,14 @@ With vendor keys from microsoft...✓
Enrolled keys to the EFI variables!
```
> ⚠️ During boot, some hardware might include OptionROMs signed with
> Microsoft keys.
> By using the `--microsoft`, we enroll the Microsoft OEM certificates.
> Another more experimental option would be to enroll OptionROMs checksum seen
> at last boot using `--tpm-eventlog`, but these checksums might change later.
You can now reboot your system. After you've booted, Secure Boot is
activated:
activated and in user mode:
```console
$ bootctl status
@ -301,6 +309,14 @@ System:
Boot into FW: supported
```
> ⚠️ If you used `--microsoft` while enrolling the keys, you might want
> to check that the Secure Boot Forbidden Signature Database (dbx) is not
> empty.
> A quick and dirty way is by checking the file size of
> `/sys/firmware/efi/efivars/dbx-*`.
> Keeping an up to date dbx reduces Secure Boot bypasses, see for example:
> <https://uefi.org/sites/default/files/resources/dbx_release_info.pdf>.
That's all! 🥳
## Troubleshooting