Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Secure Boot support #14

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Add Secure Boot support #14

wants to merge 3 commits into from

Conversation

khronokernel
Copy link
Member

@khronokernel khronokernel commented Oct 1, 2020
edited
Loading

To-do:

  • Aptio V info
  • Insyde H2O info
  • Phoenix SCT info

@khronokernel khronokernel marked this pull request as draft October 6, 2020 16:56
benbender
benbender reviewed Oct 31, 2020
View reviewed changes
universal/security/uefisecureboot.md
* This includes DmgLoading and SecureBootModel, ApECID is optional however we strongly encourage you to set this up as well
* Reminder DmgLoading must be set to either `Signed` or `Disabled`
* You've setup Vaulting
* Note Vaulting and FileVault are different, FieVault is not require for UEFI Secure Boot however is still strongly encouraged
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Note Vaulting and FileVault are different, FieVault is not require for UEFI Secure Boot however is still strongly encouraged
* Note Vaulting and FileVault are different, FileVault is not require for UEFI Secure Boot however is still strongly encouraged

Typo fix

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a grammar issue here: require to required

@dongle-the-gadget
Copy link

dongle-the-gadget commented Nov 1, 2020
edited
Loading

On some systems (including mine), UEFI Secure Boot always assumes that you are using Windows 8 or newer, so it checks to see if the Microsoft Windows UEFI certificate is available or not, if not then "secure boot violation" it goes!

dongle-the-gadget
dongle-the-gadget reviewed Nov 1, 2020
View reviewed changes
Copy link

@dongle-the-gadget dongle-the-gadget left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that db.esl is only created if the user uses MS keys.

universal/security/uefisecureboot.md


```sh
sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth
Copy link

@dongle-the-gadget dongle-the-gadget Nov 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth
# NOTE: If you do not use MS keys, replace db.esl with ISK.esl
sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth

db.esl is only created if the user signs MS keys

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dongle-the-gadget dongle-the-gadget dongle-the-gadget left review comments

@benbender benbender benbender left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@khronokernel @dongle-the-gadget @benbender