User:Sakaki/Sakaki's EFI Install Guide/Configuring Secure Boot/Using KeyTool

Configuring Secure Boot using KeyTool
If you encountered the "wrong filesystem permissions" issue when trying to use efi-updatevar and you cannot add keys with your BIOS, there is another solution: the KeyTool EFI application that comes with efitools. As a prerequisite, I recommend using this script to generate new keys, as it ensures you have .esl files for all your own keys. Before running that script, copy the Windows keys to a different directory (like /etc/efikeys/old), as the script will probably erase them. After generating keys with that script, follow these steps to install them, as well as the original keys, to your system:


 * 1) Mount the EFI flash drive using a command like:
 * 2) Copy the keys to the drive:
 * 3) Back up the old bootx64.efi on your flash drive and copy the KeyTool in its place:
 * 4) Reboot to BIOS and reset your keys (enter Setup Mode) again
 * 5) Using your BIOS's boot menu or your favorite equivalent, boot to the USB drive (not to the Gentoo entry, but instead to the generic entry)
 * 6) You'll be presented with a blue screen with a menu in the middle. Select "Edit Keys".
 * 7) Starting with the Key Exchange Key (notably not the Platform Key) and working your way down, select each key type (except for Machine Owner Key) and do two things:
 * 8) Replace key(s) with the original keys, navigating the directory tree until you find where you put them.
 * 9) Add New Key with your key, navigating the directory tree until you find them. You don't need to do this for the Forbidden signatures.
 * 10) Once you've done this for all the keys other than the PK, select that one and replace it with your own key.
 * 11) Press ESC until you get back to the main menu, then select "Exit". You're done!