←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 1 comments | 18 Jul 25 03:53 UTC | HN request time: 0.2s | source
Show context
omnibrain ◴[18 Jul 25 08:23 UTC] No.44602459[source]
I'm sure this is a naive take, but why is it not possible to enter a new key into the BIOS (dating myself, I know it's EFI) by hand?
replies(4): >>44602517 #>>44602569 #>>44602734 #>>44603003 #
1. eqvinox ◴[18 Jul 25 10:09 UTC] No.44603003[source]
It's possible and it's what you should be doing. "sbctl" (https://github.com/Foxboron/sbctl) AFAIK has a reasonable frontend for doing that on Linux (don't know, I did it manually). You have to put the system in "secure boot setup mode" in BIOS/UEFI options before booting, which enables changing the PK (Platform Key) which is used to chain off all the other keys. (Setup mode should be automatically exited when you install a new PK.)

You can keep the Microsoft keys in there if you want to dual boot Windows, you just need to re-sign the keys themselves with your own PK.