ClayDaniels
BIOS Secure Boot Keys Project
There are four, maybe five, secure boot keys in the nvram of the bios on the motherboard. They have been placed there by the manufacturer and other parties, like Microsoft. They are:
Platform Key (PK)
Key Exchange Key (KEK)
Database Key (db)
Database Blacklist Key (dbx)
Machine Owner Key (MOK)
If you wish to take control of your computer, you may want to do more than just disabling secure boot, and provide your own secure boot keys. The very first step should be to find and make a backup copy. On FreeBSD you can use EFIVAR(8).
Example:
# efivar -l | less ~ 8be4df61-93ca-11d2-aa0d-00e098032b8c-dbxDefault 8be4df61-93ca-11d2-aa0d-00e098032b8c-dbDefault 8be4df61-93ca-11d2-aa0d-00e098032b8c-KEKDefault 8be4df61-93ca-11d2-aa0d-00e098032b8c-PKDefault ~ # efivar -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-dbxDefault -b > ~/bootkeys/dbx # cd bootkeys # ls -al total 12 drwxr-xr-x 2 root wheel 512 Dec 25 01:26 . drwxr-xr-x 4 root wheel 512 Dec 25 01:25 .. -rw-r--r-- 1 root wheel 3849 Dec 25 01:26 dbx
Repeat for db, KEK, & PK. It's unlikey you will have a MOK already installed as that is something sometimes installed by you the owner.
Save these keys in case they need to be re-installed and also to use in the creation of new keys.
Sites of interest:
https://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/
https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
http://h10032.www1.hp.com/ctg/Manual/c05649759
https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot
Interests
A Little C Primer https://en.wikibooks.org/wiki/A_Little_C_Primer
Netwide Assembler (NASM) Tutorial https://cs.lmu.edu/~ray/notes/nasmtutorial/
Contributions
LXDE - FreeBSD Wiki LXDE
Email Clay Daniels <clay DOT daniels DOT jr AT gmail.com>