User talk:Sakaki/Sakaki's EFI Install Guide/Configuring Secure Boot

From Gentoo Wiki
Jump to:navigation Jump to:search
This is a Talk page - please see the documentation about using talk pages. Add newer comments below older ones, sign comments using four tildes (~~~~), and indent successive comments with colons (:). Add new sections at the bottom of the page, under a heading (== ==). Please remember to mark sections as "open for discussion" using {{talk|open}}, so they will show up in the list of open discussions.


Microsoft keys

Talk status
This discussion is still ongoing.

The note about retaining the Microsoft keys could be amended such way that re-signing the Microsoft bootloader with the newly created keys is an alternative to retaining the Microsoft keys (KEK and db). I've tried this and it works very well for my system.

This might require a bit of "feeling lucky" during the testing stage after new keys have been installed in the system's UEFI, because if the keys do not work, even Windows will not boot any longer. Yet, instead of trusting every Microsoft-signed bootloader there is out there, re-signing only the bootloader for one's own system will keep the system's ability to dual-secure-boot Linux and Windows while locking out all other bootloaders, including Windows2Go and other Live-Systems without a locally signed loader.

EFI bootloaders are capable to carry more than one signature, thus, restoring the factory installed keys will keep Windows working while a locally signed Linux will be unable to boot anymore.

That being said I do not know what happens if a Windows update rewrites the Windows bootloader to the EFI partition. Chances are, Windows will no longer boot until the new loader has again been signed with local keys. — The preceding unsigned comment was added by Ftiede (talkcontribs)

Yes, unfortunately the MS bootloader is updated from time to time, so I'd be reluctant to advance this approach as the default. But it would certainly be worth putting in a note about it, as an alternative. I'll look to do that in my next edit pass. Thanks for the suggestion! --Sakaki (talk) 14:51, 23 November 2018 (UTC)
Yes, but so are Gentoo Kernels and GrUB. And since I'm running a Secure Boot configuration where GrUB actually checks signatures, re-signing Kernels and GrUB binaries, or sys-apps/fwupd for that matter, is a common task. Whereas I do admit that the latter ones are obvious to require a re-signing of EFI binaries while Windows will just silently overwrite the bootloader and then refuse to boot afterwards without much more than a Secure Boot error message. So, yeah, removing the Microsoft keys yields another set of problems. --Ftiede (talk) 15:22, 23 November 2018 (UTC)