Advice/instructions for manual Secure Boot enrollment?

howdy!

i have an issue similar to Error enrolling secure boot key

my desktop motherboard ( https://rog.asus.com/au/motherboards/rog-strix/rog-strix-x670e-e-gaming-wifi-model/ ) has never worked with any automatic key enrolment, which is frustrating when i can see it work so perfectly on my laptop

anyhow, it does support manual enrolment of PK, KEK, DB, and DBX files, because i would previously generate my own private key and sign my EFI payloads back when i used Arch btw

what is the manual enrolment process for bazzite / universal-blue ? which files should be enrolled under which of PK/KEK/DB/DBX in order to get Secure Boot enforcement working as expected (whilst enabling this distribution)?

cheers! <3

We do not modify your PK, KEK, DB, or DBX entries. The requirement we have is that your Motherboard have the 3rd Part Microsoft Keys loaded (KEK, DB, and DBX). This should be either the default option for your Motherboard or rarely other OS/3rd Party.

For our signing needs we use the Machine Owner Key mechanism with Shim. Linux will trust a certificate that is loaded through shim as if it were a DB entry or signed by the KEK.

Reload the default keys. Then go through our documentation.

Thanks, didn’t realise this just needed the default Microsoft chain of trust

The MOK is installed and Secure Boot is all enabled for me now, cheers! <3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.