Replace Secure Boot variables #

Preliminaries #

Install chattr and efi-updatevar.

sudo apt install e2fsprogs efitools

Prepare a signed update #

Create the new Secure Boot variables PK.auth, KEK.auth, db.auth and dbx.auth, see sign variables.

Note that:

• A new PK must be signed by the current PK.
• A new KEK must be signed by the current PK.
• A new db/dbx must be signed by a current KEK key.

Update PK #

sudo chattr -i /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
sudo efi-updatevar -f PK.auth PK
sudo chattr +i /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c

Update KEK #

sudo chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
sudo efi-updatevar -f KEK.auth KEK
sudo chattr +i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c

Update db #

sudo chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
sudo efi-updatevar -f db.auth db
sudo chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f

Update dbx #

sudo chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
sudo efi-updatevar -f dbx.auth dbx
sudo chattr +i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f

Debrief #

You asked UEFI runtime services to apply signed updates for PK, KEK, db, and dbx. UEFI runtime services verified that the signatures were valid according to the Secure Boot key hierarchy before replacing the old variable data with the new EFI signature lists in the respective .auth files.

The immutable bit on the efivar filesystem was diasabled so the Linux kernel does not block the write. After the write you enabled the immutable bit again. This is mainly helpful to prevent accidental writes by root.