What about not having UEFI CustomMode ?

To: debian-efi@lists.debian.org
Subject: What about not having UEFI CustomMode ?
From: adrian15 <adrian15sgd@gmail.com>
Date: Mon, 29 Apr 2019 23:58:24 +0200
Message-id: <[🔎] d467f166-8bb8-c82c-a69c-d3d9c492fa7a@gmail.com>

0) My hardware is:

HP250 G6 2SX60EA laptop.

1) I'm trying to enroll MS keys into it so that I can boot with Secure
Boot enabled and try either my supposedly Secure Boot enabled Rescatux
based on latest Debian shim-signed packages.

So far I have downloaded:
http://download-ib01.fedoraproject.org/pub/fedora-secondary/updates/29/Everything/i386/Packages/e/edk2-ovmf-20190308stable-1.fc29.noarch.rpm

(Please note these procedure installs MS keys and also some Redhat ones.)

which I have unzipped.

There is an UEFIShell.iso file.
Inside the UEFIShell.iso there is an efi.img floppy-disk size image.

So I loop-mount the UEFIShell iso.
I then loop-mount the floppy-disk size image.

I insert a usb device into my laptop and I create there a new msdos
partition with a 100 MB size FAT32 partition.

I copy all of the floppy-disk contents to the FAT32 partition.

I umount the usbdevice.

2) So now I have a working usbdevice.

When booting into it in my HP250 G6 2SX60EA laptop I get access to the
UEFIShell.

Then I try to use the suggested instructions here:
https://fedoraproject.org/wiki/Using_UEFI_with_QEMU#Run_EnrollDefaultKeys.efi

So I do:

fs2:

Shell> fs2:
FS2:\> EnrollDefaultKeys.efi

And here I get this error:

error: GetVariable("CustomMode", C076EC0C-7028-4399-A072-71EE5C448B9F):
Not found

3) I have found this another user here:
https://arstechnica.com/civis/viewtopic.php?p=28719833&sid=91f87954cd6b764030f33e68b9393df3#p28719833
.

"""
HP Stream has Platform key (greyed out), Pending Action (greyed out),
Clear All Secure Boot Keys (greyed out until Secure Boot is disabled) &
Load HP Factory Default Keys (greyed out)

After using "Clear All Secure Boot Keys" (passcode entered on keyboard
required)
Platform Key changed from Enrolled to Not Enrolled
Pending Action remains greyed out
Clear All Secure Boot Keys generates an error message saying the
database is empty
Load HP Factory Default Keys is now usable.

Still no "Custom Mode"...

Selecting Load Factory Default shows a warning that custom keys will be
deleted in the details panel. Still no means of editing the database in
any manner other than delete and restore factory default.
Pending action is still greyed out, but has a value of "Load HP Factory
Default Keys on next boot"
"""

I happen to have these options on the BIOS, there is either:
* Load HP Factory Default Keys (which I suspect, because of my tests,
are not the Microsoft ones)
* Clear All Secure Boot Keys

There is not an option in the UEFI to enroll your own keys as I would
have expected.

4) So not having a UEFI CustomMode does mean that I won't never be able
to enroll my own keys (e.g. the Microsoft ones)?

Is there anyother workaround which I'm missing?

5) As you might ask it, yes, my next move is probably going to find if
there's an UEFI update for this laptop that might be it easier for me.

Thank you very much!

adrian15
--
Support free software. Donate to Super Grub Disk. Apoya el software
libre. Dona a Super Grub Disk. http://www.supergrubdisk.org/donate/

Reply to:

Prev by Date: Re: How to enroll Debian Secure Boot test key from Debian Live image?
Next by Date: Bug#923413: marked as done (shim-signed: Receiving error message "Failed to set MokSBStateRT: (2) Invalid Parameter")
Previous by thread: How to enroll Microsoft Secure Boot key from Debian Live image?
Next by thread: Bug#923413: marked as done (shim-signed: Receiving error message "Failed to set MokSBStateRT: (2) Invalid Parameter")
Index(es):
- Date
- Thread