Secure Boot, EFI Keys and Setup Mode

sf64 · January 19, 2024, 1:35am

Board: Dell Chromebook 3100 (Fleex)
Coreboot Version: 4.22.1

I’ve been doing a bit of poking around for the hell of it, looking at the new secure boot settings (I haven’t updated since July last year) and found that I’m having issues with enrolling keys. I can get the BIOS to recognize the files, but it can’t commit them. I found when trying to use Linux to enroll keys via sbctl, I wasn’t able to get the system into Setup mode, and because of that I can’t enroll any keys at all, including the PK.

Maybe it’s just me, and this board is a little borked with the new updates when it comes to SB, or this is expected behavior and the TPM is only as functional as it needs to be in order to work in the case of enterprise management, that kinda thing. Figured the best way to find out for sure was to make a post and see what people think.

WeirdTreeThing · January 19, 2024, 1:39am

Try to reset the NVRAM with the firmware utility script, that fixed it for me when updating from an older release.

sf64 · January 19, 2024, 2:23am

I tried that a minute ago, and it looks like I got a PK at least, but it’s still not going into setup mode - I can’t manipulate the keys at all, or install my own.

Edit: actually, it looks like that allowed me to add my own DB entries, but I guess I can make do with having that work now at least - weird that the NVRAM works like that.

WeirdTreeThing · January 19, 2024, 2:37am

You first need to delete the PK, then you can go back and enroll your own. The other ones should enroll just fine. I’m not sure how you’re doing it, but I just put the keys on my ESP to enroll them.