Secure boot

From finninday
Jump to navigation Jump to search

Enabling secure boot on Dell Latitude E6440 running Fedora 22[edit]

Background[edit]

I've wiped the Microsoft OS that came with this machine and installed Fedora. Now, I'd like to enable secure boot. I'm not dual-booting with Windows. Just Fedora.

Enable Secure boot and see how things fail without a key[edit]

Boot to bios with F12

It looks like this: 

Use the ^(Up) and v(Down) arrow keys to move the pointer to the desired boot device.
Press [Enter] to a attempt the boot or ESC to Cancel. (* = Password Required)

Boot mode is set to: LEGACY; Secure Boot: OFF

LEGACY BOOT:
    USB Storage Device
    CD/DVD/CD-RW Drive
    Internal HDD
    Onboard NIC
OTHER OPTIONS:
    BIOS Setup
    BIOS Flash Update
    Diagnostics
    CHange Boot Mode Settings

The bios indicates that secure boot is off

Turn on Secure Boot and get scary warning #1 

Use the ^(Up) and v(Down) arrow keys to move the pointer to the desired boot device.
Press [Enter] to a attempt the boot or ESC to Cancel. (* = Password Required)

Boot mode is set to: LEGACY; Secure Boot: OFF

WARNING:
You have chosen to make changes to the system boot settings. These settings
will alter the way that the computer is allowed to boot.  Proceed with caution.
Please select an option:

CHANGE BOOT MODE TO:
    1) UEFI Boot Mode, Secure Boot OFF
    2) UEFI Boot Mode, Secure Boot ON

Get scary warning #2 

Use the ^(Up) and v(Down) arrow keys to move the pointer to the desired boot device.
Press [Enter] to a attempt the boot or ESC to Cancel. (* = Password Required)

Boot mode is set to: LEGACY; Secure Boot: OFF

WARNING:
You have chosen to enable the UEFI Secure Boot feature.
When this feature is enabled, it is only possible to boot an Operating
System or Application that is both Digitally Signed and Trusted. Changing
this setting may render the system unable to boot to the currently installed
Operating System. Please proceed with caution.

DO YOU WISH TO PROCEED?
    Yes
    No

Scary warning #3 

Use the ^(Up) and v(Down) arrow keys to move the pointer to the desired boot device.
Press [Enter] to a attempt the boot or ESC to Cancel. (* = Password Required)

Boot mode is set to: LEGACY; Secure Boot: OFF

WARNING:
The required changes to enable the UEFI Secure Boot feature will now be applied.
Select <Apply the changes> to confirm the change or <Cancel> to abort and keep
the current settings.  Please only mke this change if you are certain.


FINAL CONFIRMATION:
    Apply the Change
    Cancel

Hey, my system is broken! Why didn't anyone warn me about this? 

No bootable devices found.
Press F1 key to retry boot.
Press F2 key for setup utility.
Press F5 key to run onboard diagnostics.

Return to legacy boot[edit]

The EFI boot menus look different, so the path back to legacy boot is a bit different.

Select Settings > Secure Boot > Secure Boot Enable > Disable

Select Settings > General > Advanced Boot Options > Enable Legacy Option ROMs

Select Settings > General > Boot Sequence > Boot List Option > Legacy

Now I can boot back into Fedora and I can resume breathing.


Expert Key Management in BIOS[edit]

So there is an option in my BIOS called Expert Key Management and it has these four options:

  • PK
  • KEK
  • db
  • dbx

And it gives this blurb:

Expert Key Mangement allows the PK, KEK, db, and dbx security key databases to be manipulated. The keys can only be modified if the system is in Custom Mode. If Custom mode is disabled, any changes made while in Custom Mode will be erased and the keys will revert back to their default setting. Save to File will save the key to a user-selected file. Replace from File will replace the current key with a key from a user-selected file. Append from File will add a key to the current database from a user-selected file. Delete will delete the selected key. Reset All Keys will reset all four keys to their default setting.

Read this next: https://fedoraproject.org/wiki/Unified_Extensible_Firmware_Interface

  • did my system installer boot into UEFI-native or BIOS-native? if it was

UEFI-native, that would tell me that my system is capable of booting into UEFI-native 

[root@servo rday]# grep platform /var/log/anaconda/anaconda.log 
08:50:03,558 INFO anaconda: bootloader GRUB2 on X86 platform
08:50:03,558 INFO anaconda: bootloader GRUB2 on X86 platform

I have GRUB2 instead of EFIGRUB, so I my installation was booted into BIOS-native

So it appears that my path forward is going to go through a fresh reinstall in order to enable secure boot.

On another system, that I thought was too old (bios reports a date of 2011) to have UEFI, anaconda reports that it booted into UEFI: 

[root@muno rday]# grep platform /var/log/anaconda/anaconda.log 
12:05:02,582 INFO anaconda: bootloader EFIGRUB on EFI platform
12:05:02,678 INFO anaconda: bootloader EFIGRUB on EFI platform

OK, so that Acer bios from 2011 does have UEFI options. It shows my boot priority order with the first option as "UEFI:Fedora"

But it does not have any secure boot options.

Retrieved from "https://finninday.net/wiki/index.php?title=Secure_boot&oldid=5105"