Skip to content

Instantly share code, notes, and snippets.

@kurtbahartr

kurtbahartr/sb-ubuntu.mkdn

Created December 26, 2024 19:39
Show Gist options
  • Save kurtbahartr/6c1ca83674ba3c2a3b36b2c37f453622 to your computer and use it in GitHub Desktop.
Save kurtbahartr/6c1ca83674ba3c2a3b36b2c37f453622 to your computer and use it in GitHub Desktop.
Download ZIP
Secure boot with own keys on Ubuntu (PERSONAL AND FOR FUTURE REFERENCE!)
Raw
sb-ubuntu.mkdn

Prerequirements

  1. Head over to the firmware setup and switch to secure boot's setup mode. Find this in the Boot tab.
  2. Microsoft's secure boot certificates. The links are in the Resources section below. Using something akin to curl and wget will return error 403-Forbidden!
  3. Root access. All of the following commands must run as root.
  4. (Optionally) A safe environment outside of your computer to store these keys inside.

Creating and enrolling the keys

# Replace the following variable with the path to where you downloaded the certs.
MS_CERTS_DIR=$HOME/Downloads
mkdir -p /etc/efi-keys
cd /etc/efi-keys
curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
chmod +x mkkeys.sh
./mkkeys.sh
# The Common Name here doesn't matter much as long as it makes sense for you.
# I roll with my laptop's hostname here.
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db_2011.esl "$MS_CERTS_DIR"/MicWinProPCA2011_2011-10-19.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db_2023.esl "$MS_CERTS_DIR"/'windows uefi ca 2023.crt'
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db_2011.esl "$MS_CERTS_DIR"/MicCorUEFCA2011_2011-06-27.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db_2023.esl "$MS_CERTS_DIR"/'microsoft uefi ca 2023.crt'
cat MS_Win_db_2011.esl MS_Win_db_2023.esl MS_UEFI_db_2011.esl MS_UEFI_db_2023.esl > MS_db.esl
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_KEK_2011.esl "$MS_CERTS_DIR"/MicCorKEKCA2011_2011-06-24.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_KEK_2023.esl "$MS_CERTS_DIR"/'microsoft corporation kek 2k ca 2023.crt'
cat MS_Win_KEK_2011.esl MS_Win_KEK_2023.esl > MS_Win_KEK.esl
sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db MS_db.esl add_MS_db.auth
sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k PK.key -c PK.crt KEK MS_Win_KEK.esl add_MS_Win_KEK.auth
mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK}
cp DB.auth /etc/secureboot/keys/db/
cp add_MS_db.auth /etc/secureboot/keys/db/
cp KEK.auth /etc/secureboot/keys/KEK/
cp add_MS_Win_KEK.auth /etc/secureboot/keys/KEK/
cp PK.auth /etc/secureboot/keys/PK/
chattr -i /sys/firmware/efi/efivars/{PK,KEK,db}*
sbkeysync --keystore /etc/secureboot/keys/ --verbose
efi-updatevar -f /etc/secureboot/keys/PK/PK.auth PK

Enrolling MOK keys (if present, needed for DKMS modules like VirtualBox kernel modules, virtualbox-dkms)

mokutil --import /var/lib/shim-signed/mok/MOK.der

Note

This will ask for a password. I usually roll with 12345678 since it's easy to enter later on as well. This is not, and has no impact on, your user/root password.

Post enrollment

Just reboot, enable secure boot in BIOS and enroll MOK lol

Resources

Microsoft secure boot certificates

Sources for the commands

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment