Thank you for calling Intel Customer Support, sorry for the delay on this one.
In regards to your question. Configuration and usage of Secure boot can be done through Syscfg utility.
Secure Boot Keys settings are described in section 4.3.9 of user guide
Please also see below information for Secure Boot features listed:
In implementation, PCSD BIOS provisions the keys for the first time user chooses UEFI boot mode and enable UEFI secure boot in Setup mode. When new BIOS capsule release contains new keys (in case there is private key compromise or known security vulnerability with previous signatures):
•In case user has already done the provision (i.e. once enabled UEFI secure boot), the
new keys will NOT be provisioned and old keys still take effect. It is mandatory to use method described in section 220.127.116.11 to update those keys.
•In case user has not yet done the provision (i.e. never enabled UEFI secure boot
before), the new keys will be provisioned and take effect.
18.104.22.168 Secure Boot Keys Update
After secure boot key has been provisioned after product launch, there are chances that these keys are required to be updated in an authenticated way so that user can replace obsoleted and compromised keys.
PCSD product BIOS does not support “custom mode” to update key variables (PK, KEY, DB & DBX) without authentication. This means that the key must be authenticated strictly according to UEFI specification requirement whenever UEFI secure boot is enabled or disabled: <see image.PNG attached>
PCSD product BIOS provides BIOS interfaces to enable System Configuration (SysCfg) utility to update these keys in authenticated way with /securebootkey command. For more details, please refer to the latest System Configuration Utility User Guide.I hope this answers to your questions, or if further assistance is needed, anyway, please elt me know, I'll stay tuned to your comments.
Intel Customer Support
Thanks for for the answer. I tried this, and unfortunately it did not work. I'm not sure what reference document the information stating with "In implementation, PCSD ...." came from, but based on that, it seems like I can't change the PK (this is the key I want to overwrite) because the current PK that's installed is an Intel Key (2AE721F4-F17a-4023-972c-4f337ad58644, subject: CN=CN = Intel(R) PCSD Greenlow-R Product BIOS Platform Key O=Intel Corporation, OU=,). So, according to 22.214.171.124 I'm not going to be able to change the PK because I don't have the this Intel Key to sign the PK I want installed.
I was able to run syscfg and did test other commands so syscfg did appear to run (I was running it as an EFI). However, when I tried:
syscfg /securebookey "pass" overwrite PK fs0:\PK.(esl/auth/crt/cert) (I tried multiple formats), it said:
Updating secure boot key of PK...
ERROR. Change BIOS setting failed. It may be caused by invalid data in the switch parameter.
Looking at the UEFI specification version 2.7, section 31.3.2 "Clearing the Platform Key" it seems to indicate there are two methods:
1. Signing a new PK with the existing PK. This would make sense and is perhaps the /securebootkey overwrite method in syscfg.
2. "The platform key may also be cleared using a secure platform-specific method." I believe on Intel UEFI Firmware for a NUC there are options to clear the PK from the firmware.
So I guess my questions are:
1. Is there a method to clear the PK using the existing firmware or another Intel provided firmware for this Intel Server Board?
2. If not, can it be added?
Thank you again,
Thanks for your feedback, in response to your comments.
I would like to replicate this myself to see what results I get because it make no sense syscfg should provide the keys needed t complete the opwration, anyway I'm also interested in knowing what is the big picture here, what is the final goal for which you need to overwrite the keys? that way maybe we can figure a workaround, if that's OK I've sent an email to your address for you to reply with your contact information and timezone in case we need to reach you back in that way, while I'm working in the replication.
I'll stay tuned to your comments, best regards.
The end goal is to enable UEFI secure boot. The OS is a custom Linux kernel and rootfs, essentially a custom distro. This application for this server is very static and controlled. My assumption was from working with desktop UEFIs was that I could clear the PK, but this might not be the case. This would have been ideal as the boot process would have been: UEFI Firmware -> my signed Kernel EFI stub.
I did also notice there is a microsoft key in the KEK database. Perhaps I can use the Linux Foundation signed Preloader & shim (assuming it's the same key). In this case, there is more boot layers (UEFI Firmware -> preloader -> shim -> kernel I think). This could work, but the extra layers of indirection are not beneficial in the use case we have. It is however, probably better then disabling UEFI secure boot.
I tired the PreLoader, with secure boot, from UEFI shell but it did not immediately work however, I may not have invoked it correctly. I can give that another try.
I just want to let you know we're still working on your case, I would like to know how it went after your last try, is there any difference?
Please let me know so we can update our scenario.
Thanks for the update. I am not able to clear the platform key. I haven't yet tried removing the SPI flash and tweaking that directly though. What I want to try is to manipulate the PK's GUID to make it look like the PK isn't there. Not sure if this will work though.
Because of the MFST key in the KEK, I can perform the following:
Firmware->PreLoader (from the Linux Foundation, signed by MFST)->custom software.
This is the best we can do without clearing the platform key, which is better than not having secure boot.
Thanks for the heads up, I'mm trying to have this replicated and also digging trough the documentation, if you have any more information as result of your testing please let me know, I'll reach back at you as soon as I have something else.