kurtbahartr · December 26, 2024 19:39 · Dec 26, 2024
diff --git a/sb-ubuntu.mkdn b/sb-ubuntu.mkdn
@@ -0,0 +1,70 @@
+# Prerequirements
+
+1. Head over to the firmware setup and switch to secure boot's setup mode. Find this in the Boot tab.
+2. Microsoft's secure boot certificates. The links are in the `Resources` section below. **Using something akin to `curl` and `wget` will return error 403-Forbidden!**
+3. Root access. All of the following commands must run as root.
+4. (Optionally) A safe environment outside of your computer to store these keys inside.
+
+# Creating and enrolling the keys
+
+```
+# Replace the following variable with the path to where you downloaded the certs.
+MS_CERTS_DIR=$HOME/Downloads
+mkdir -p /etc/efi-keys
+cd /etc/efi-keys
+curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
+chmod +x mkkeys.sh
+./mkkeys.sh
+# The Common Name here doesn't matter much as long as it makes sense for you.
+# I roll with my laptop's hostname here.
+sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db_2011.esl "$MS_CERTS_DIR"/MicWinProPCA2011_2011-10-19.crt
+sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db_2023.esl "$MS_CERTS_DIR"/'windows uefi ca 2023.crt'
+sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db_2011.esl "$MS_CERTS_DIR"/MicCorUEFCA2011_2011-06-27.crt
+sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db_2023.esl "$MS_CERTS_DIR"/'microsoft uefi ca 2023.crt'
+cat MS_Win_db_2011.esl MS_Win_db_2023.esl MS_UEFI_db_2011.esl MS_UEFI_db_2023.esl > MS_db.esl
+sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_KEK_2011.esl "$MS_CERTS_DIR"/MicCorKEKCA2011_2011-06-24.crt
+sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_KEK_2023.esl "$MS_CERTS_DIR"/'microsoft corporation kek 2k ca 2023.crt'
+cat MS_Win_KEK_2011.esl MS_Win_KEK_2023.esl > MS_Win_KEK.esl
+sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db MS_db.esl add_MS_db.auth
+sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k PK.key -c PK.crt KEK MS_Win_KEK.esl add_MS_Win_KEK.auth
+mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK}
+cp DB.auth /etc/secureboot/keys/db/
+cp add_MS_db.auth /etc/secureboot/keys/db/
+cp KEK.auth /etc/secureboot/keys/KEK/
+cp add_MS_Win_KEK.auth /etc/secureboot/keys/KEK/
+cp PK.auth /etc/secureboot/keys/PK/
+chattr -i /sys/firmware/efi/efivars/{PK,KEK,db}*
+sbkeysync --keystore /etc/secureboot/keys/ --verbose
+efi-updatevar -f /etc/secureboot/keys/PK/PK.auth PK
+```
+
+# Enrolling MOK keys (if present, needed for DKMS modules like VirtualBox kernel modules, `virtualbox-dkms`)
+
+```
+mokutil --import /var/lib/shim-signed/mok/MOK.der
+```
+> [!NOTE]
+> This will ask for a password. I usually roll with `12345678` since it's easy to enter later on as well. This is not, and has no impact on, your user/root password.
+
+# Post enrollment
+
+Just reboot, enable secure boot in BIOS and enroll MOK lol
+
+# Resources
+
+## Microsoft secure boot certificates
+- https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
+- https://www.microsoft.com/pkiops/certs/windows%20uefi%20ca%202023.crt
+- https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
+- https://www.microsoft.com/pkiops/certs/microsoft%20uefi%20ca%202023.crt
+- https://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt
+- https://www.microsoft.com/pkiops/certs/microsoft%20corporation%20kek%202k%20ca%202023.crt
+
+## Sources for the commands
+
+- https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Helper_script
+  - 3.1.5.2.1: Helper script
+  - 3.1.5.3.1: Using sbkeysync
+  - 3.1.7.1: Microsoft Windows
+- https://wiki.debian.org/SecureBoot#Enrolling_your_key
+  - Enrolling your key
No results found