I recently managed to get secure boot working on my system with Arch Linux. I am using custom keys over preloader/shim I would like to blacklist Microsoft's key. Is this possible. If so how?
1 Answer
This can be surely done via UEFI BIOS. Boot into it and select:
"Delete All Secure Boot Keys" - this option name is BIOS dependent.
Then proceed to install your own MAK key again:
answered Jul 27, 2020 at 12:21
-
I would like to add the Microsoft key to the DBx to black list it. Is that possible?dev– dev2020-07-27 15:57:12 +00:00Commented Jul 27, 2020 at 15:57
-
If you remove it, there's no need to blacklist it.Artem S. Tashkinov– Artem S. Tashkinov2020-07-27 16:01:23 +00:00Commented Jul 27, 2020 at 16:01
-
Some UEFI systems will only provide the option to delete the primary key (PK) - this will enable Secure Boot Setup Mode, which allows replacing all the keys freely until a new PK is installed. If the UEFI BIOS has no other options, you will need another tool for modifying the keys - the
keytoolin efitools includes a stand-alonekeytool.efi. Put it on USB stick as\efi\boot\bootx64.efithen boot from the stick, and you can edit Secure Boot keys on any Secure Boot system, if you first can get the system to Setup Mode.telcoM– telcoM2020-07-28 07:15:30 +00:00Commented Jul 28, 2020 at 7:15