Articles in this section

How to check Secure Boot state and imported keys in Linux?

Avatar
Alan Ku
  • Updated
Follow

Purpose:

Share fundamental management-knowledge of Secure Boot for Linux. The FAQ is for reference, will not offer other supports for others.

 

Audience:

  • To who has well understood PKI and Secure Boot.
  • The platform supports both Secure Boot and Windows.

 

Secure Boot:

Secure Boot is a security standard developed by members of the PC industry to help ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

 

Secure Boot is designed to protect the boot process from attacks that seek to compromise it, ensuring that only trusted software is allowed to run during boot. It's an important feature for maintaining the security of a system, especially in environments where integrity and reliability are critical.

 

 

Prerequisites:

Install efitools in Linux. Take Ubuntu 22.04.4 LTS for instance.

# sudo apt install efitools

 

 

Skills:

1. Check Secure Boot enabling state.

  • OS with Secure Boot.
# sudo mokutil --sb-state
SecureBoot enabled
  • OS failed Secure Boot.
# sudo mokutil --sb-state
SecureBoot disabled
  • No PK or Secure Boot is in Setup Mode.
# sudo mokutil --sb-state
SecureBoot disabled
Platform is in Setup Mode

 

2. Check imported keys in the system.

  • In following case, the system only imported two keys, PK and db.
root@FWA-3051-efi:~# efi-readvar
Variable PK, length 1605
PK: List 0, type X509
Signature 0, size 1577, owner xxxx4851-xxxf-xxx1-xxx9-fbf883bbbxxxx
Subject:
C=TW, ST=Taiwan, L=Advantech, O=Advantech, OU=TEST, CN=SASE signing key
Issuer:
CN=UEFI kek
Variable KEK has no entries
Variable db, length 1604
db: List 0, type X509
Signature 0, size 1577, owner xxxx4851-xxxf-xxx1-xxx9-fbf883bbbxxxx
Subject:
C=TW, ST=Taiwan, L=Advantech, O=Advantech, OU=TEST, CN=SASE signing key
Issuer:
CN=UEFI kek
Variable dbx, length -4
Variable MokList has no entries

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.