Append Secure Boot variables #
Preliminaries #
Install chattr and efi-updatevar.
sudo apt install e2fsprogs efitools
Prepare a signed update #
Create the new Secure Boot variables KEK.auth, db.auth and dbx.auth, see
sign variables. Set the -a option
when signing.
Note that:
- A new KEK must be signed by the current PK.
- A new db/dbx must be signed by a current KEK key.
Update KEK #
sudo chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
sudo efi-updatevar -a -f KEK.auth KEK
sudo chattr +i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
Update db #
sudo chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
sudo efi-updatevar -a -f db.auth db
sudo chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Update dbx #
sudo chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
sudo efi-updatevar -a -f dbx.auth dbx
sudo chattr +i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Debrief #
You asked UEFI runtime services to apply signed updates for
KEK,
db, and
dbx. UEFI runtime services verified that the signatures
were valid according to the Secure Boot key hierarchy before appending to
the respective variables. You achieved this by using the -a option, which
essentially sets appropriate append bits.
The immutable bit on the efivar filesystem was diasabled so the Linux kernel does not block the write. After the write you enabled the immutable bit again. This is mainly helpful to prevent accidental writes by root.