690 B
690 B
secureboot
Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.
- systemctl reboot --firmware
- bootctl
- efibootmgr -v
- mokutil --sb-state
- mokutil --list-enrolled
- mokutil --enable-validation
ubuntu
ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot.
cryptsetup luks
crypsetup luksDump /dev/sdaX cryptsetup luksChangeKey /dev/sdaX cryptsetup luksErase
ressource: http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/