User:Sakaki/Sakaki's EFI Install Guide/Configuring Secure Boot/Using KeyTool

From Gentoo Wiki
Jump to:navigation Jump to:search

Configuring Secure Boot using KeyTool

If you encountered the "wrong filesystem permissions" issue when trying to use efi-updatevar and you cannot add keys with your BIOS, there is another solution: the KeyTool EFI application that comes with efitools. As a prerequisite, I recommend using this script to generate new keys, as it ensures you have .esl files for all your own keys. Before running that script, copy the Windows keys to a different directory (like /etc/efikeys/old), as the script will probably erase them. After generating keys with that script, follow these steps to install them, as well as the original keys, to your system:

  1. Mount the EFI flash drive using a command like:
    root #mount -o rw /dev/sdZn /mnt
  2. Copy the keys to the drive:
    root #cd /etc/efikeys
    root #mkdir -v -p /mnt/keys/old
    root #cp *.esl *.crt *.auth /mnt/keys/
    root #cd old
    root #cp *.esl *.crt *.auth /mnt/keys/old
  3. Back up the old bootx64.efi on your flash drive and copy the KeyTool in its place:
    root #mv /mnt/EFI/Boot/bootx64.efi /mnt/EFI/Boot/bootx64.efi.gentoo
    root #cp /usr/share/efitools/efi/KeyTool.efi /mnt/EFI/Boot/bootx64.efi
  4. Reboot to BIOS and reset your keys (enter Setup Mode) again
  5. Using your BIOS's boot menu or your favorite equivalent, boot to the USB drive (not to the Gentoo entry, but instead to the generic entry)
  6. You'll be presented with a blue screen with a menu in the middle. Select "Edit Keys".
  7. Starting with the Key Exchange Key (notably not the Platform Key) and working your way down, select each key type (except for Machine Owner Key) and do two things:
    1. Replace key(s) with the original keys, navigating the directory tree until you find where you put them.
      With some BIOSes, you may encounter problems inserting your db.crt under KeyTool, once your KEK has been inserted. If this occurs, try appending (in KeyTool) your db.auth file instead (creation of this file was described in a note in the main text).
    2. Add New Key with your key, navigating the directory tree until you find them. You don't need to do this for the Forbidden signatures.
  8. Once you've done this for all the keys other than the PK, select that one and replace it with your own key.
  9. Press ESC until you get back to the main menu, then select "Exit". You're done!