Cannot provision Secure Boot keys on OptiPlex 7050

Question

Cannot provision Secure Boot keys on OptiPlex 7050

Closed this issue 10 months ago · 8 comments

I was having issues auto provisioning Secure Boot keys on a debian system using the script, so I tried to manually provision the PK etc. that the script has generated. However, the system firmware setup utility rejects the files. Example below.

If it helps troubleshooting, according to page (20)26 here, Certificates in the DER format and SHA-256 hashes in the HSH format are accepted.

I can't find a whole lot of info. Any help would be appreciated. I know there are others who use this and similar Dell systems who want to take advantage of Mortar.

Answer 1 · 2023-11-20T03:54:37.000Z

You may need to convert them to Der format. I though I had made a change a while ago which automatically did this and left copies in /etc/mortar. If you can't find them, you can generate the der files with an openssl command. I don't remember which off the top of my head.

Answer 2 · 2023-11-20T03:55:43.000Z

Yeah. We make them automatically. https://github.com/noahbliss/mortar/blob/master/1-generatesecurebootkeys.sh

Answer 3 · 2023-11-20T03:59:04.000Z

These der files all get rejected.
I was doing some quick research on my phone the other night while wrangling with this, and saw a mention that openssl doesn't create the der files in a format that the Dell setup utility will accept (non-standard or has some extra attributes/info that has to be stripped first), but unfortunately I lost the URL.

Answer 4 · 2023-11-20T04:01:55.000Z

Might seem useless. But try going to default with secure boot off, rebooting, enabling custom audit mode and wiping factory keys in the bios, reboot, go back into the bios to ensure its still in audit mode, then boot to system and retry 2. If it fails, then retry the manual install.

Answer 5 · 2023-11-20T04:12:43.000Z

There is only "Custom Mode" in this bios/efi setup utility and no "audit mode" like you see in some others. It seems that it should be similar to audit mode in all the relevant ways, so I am going to try that.
I have already tried different permutations of the steps you outlined, but no dice. I'm going to follow your sequence on an identical test system and will come back with my results.

Answer 6 · 2023-11-27T22:22:34.000Z

I did a test install on an identical machine and was able to import the keys through the script. After resetting Secure Boot it would not let me install the keys. The trick was to remove all keys in addition to toggling Secure Boot. I thought I had done that on the original machine, but perhaps not. I'm going to check if the keys can be imported in the EFI setup utility on this machine and report back.

Answer 7 · 2023-11-28T00:05:30.000Z

Good to know the initial conclusion is good and glad you're sorting it out!

Answer 8 · 2024-03-29T00:54:32.000Z

Feel free to re-open if this isn't resolved.