20 lines
690 B
Markdown
20 lines
690 B
Markdown
|
# secureboot
|
||
|
|
||
|
Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.
|
||
|
|
||
|
- systemctl reboot --firmware
|
||
|
- bootctl
|
||
|
- efibootmgr -v
|
||
|
- mokutil --sb-state
|
||
|
- mokutil --list-enrolled
|
||
|
- mokutil --enable-validation
|
||
|
|
||
|
## ubuntu
|
||
|
ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot.
|
||
|
# cryptsetup luks
|
||
|
crypsetup luksDump /dev/sdaX
|
||
|
cryptsetup luksChangeKey /dev/sdaX
|
||
|
cryptsetup luksErase
|
||
|
|
||
|
ressource:
|
||
|
http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/
|