====== Secure Boot Setup with Manual Key Enrollment via USB ====== A quick guide to configure Secure Boot by generating keys and enrolling them manually in the BIOS from a USB stick. ===== 1. Prerequisites: Install Tools ===== You need `openssl` for key creation and `sbsigntool` for signing EFI binaries. For Debian/Ubuntu-based systems: sudo apt-get update sudo apt-get install openssl sbsigntool For Fedora/RHEL-based systems: sudo dnf install almalinux-release-devel sudo dnf install openssl sbsigntools ===== 2. Key Generation (using OpenSSL only) ===== Create your own set of Secure Boot keys (PK, KEK, DB). This process now only generates the necessary certificate files for manual enrollment. # Create a directory for your keys mkdir -p ~/secureboot-keys cd ~/secureboot-keys # Platform Key (PK) openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 -keyout PK.key -out PK.crt -subj "/CN=My Platform Key/" openssl x509 -in PK.crt -outform der -out PK.cer # Key Exchange Key (KEK) openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 -keyout KEK.key -out KEK.crt -subj "/CN=My Key Exchange Key/" openssl x509 -in KEK.crt -outform der -out KEK.cer # Signature Database Key (DB) openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 -keyout DB.key -out DB.crt -subj "/CN=My Signature DB Key/" openssl x509 -in DB.crt -outform der -out DB.cer ===== 3. Prepare USB Stick for Key Transfer ===== Copy the public keys to a **FAT32-formatted USB stick**. You will also need the private `DB.key` for signing the bootloader on the target machine. # --- On your key generation PC --- # Assume your USB stick is mounted at /media/usb # Copy the public certificates for BIOS enrollment cp PK.cer KEK.cer DB.cer /media/usb/ # Copy the DB key pair for signing the bootloader on the target machine cp DB.key DB.crt /media/usb/ ===== 4. Sign Bootloaders on the Target Machine ===== The system will not boot until its bootloader is signed with your DB key. You may need to use a Linux Live environment to perform this step. # --- On the Target Machine --- # Ensure sbsigntool is installed if in a live environment. # Mount the target's EFI System Partition (ESP) and the USB stick. # Example: # sudo mount -o x-mount.mkdir /dev/sda1 /mnt/esp # sudo mount -o x-mount.mkdir /dev/sdb1 /mnt/usb # Define paths for convenience ESP_PATH=/mnt/esp USB_PATH=/mnt/usb SHIM_PATH=/mnt/esp/EFI/boot/shimx64.efi (path could be different!) GRUB_PATH=/mnt/esp/EFI/boot/grubx64.efi (path could be different!) # Sign the GRUB and Shim binaries with your DB key from the USB stick sudo sbsign --key $USB_PATH/DB.key --cert $USB_PATH/DB.crt --output $GRUB_PATH $GRUB_PATH sudo sbsign --key /mnt/usb/DB.key --cert /mnt/usb/DB.crt --output $SHIM_PATH $SHIM_PATH ===== 5. BIOS/UEFI Configuration and Manual Enrollment ===== Boot the target machine with the USB stick plugged in and enter the UEFI/BIOS setup. ==== Generate UUID ==== Use the Linux command //uuidgen// to generate a UUID string. uuidgen 1f2a5f2f-1328-419d-aad0-323ffcffc257 This is a generated random number according to a pattern, which the BIOS needs when entering the keys in order to identify them. ==== Enroll keys ==== - Enter your BIOS/UEFI setup utility (usually by pressing **Esc** during boot). - Navigate to the **Administer Secure Boot** menu. - Use the options to enroll/add keys from a file: - **Enroll/Replace Platform Key (PK)**: Select this option, navigate to your USB stick in the file browser, and choose //PK.cer//. - **Enroll Key Exchange Key (KEK)**: Navigate to the USB stick and add the //KEK.cer// file. - **Enroll Signature Database Key (DB)**: Select **PKCS7**, then Navigate to the USB stick and add the //DB.cer// file. - Save changes and exit the BIOS. Secure Boot is now active with your custom keys. The system should boot correctly with Secure Boot enabled.