Allow Microsoft 3rd Party UEFI CA

To: debian-laptop@lists.debian.org
Subject: Allow Microsoft 3rd Party UEFI CA
From: Bjørn Mork <bjorn@mork.no>
Date: Sat, 22 Oct 2022 19:04:40 +0200
Message-id: <[🔎] 871qqzrdqv.fsf@miraculix.mork.no>

Just had an interesting experience installing Debian bullseye on a
Lenovo Thinkpad P14s Gen 3.

I tried to PXE boot the Debian installer and could see in the tftp
server log that the Thinkpad loaded the shim, but nothing more.  It just
jumped back to the PXE boot menu.

After several failed attempts, I was ready to give up and just disable
secure boot.  So I entered the BIOS settings.  But in the Secure Boot
page there I noticed an unknown (to me) new setting, which was disabled
by default:

  "Allow Microsoft 3rd Party UEFI CA"

I enabled it and tried PXE booting the Debian install again.  And voilà
- the shim ran and loaded grub etc as it should.

So to anyone struggling with secure boot: Look for this setting or
something similar in the BIOS. They've obviously found a new way to
break secure boot by default.


Bjørn

Reply to:

Index(es):
- Date
- Thread