On Fri, Jul 05, 2013 at 09:07:13AM -0000, Franz Hsieh wrote:
> Please help me check if my steps are correct.
> note: The platform runs Ubuntu-12.04.2 for ASUS image.
> <BOOT the platform to non-secure mode>
> 1. copy LockDown.efi to /boot/efi/ <EFI partition mount point>
> 2. copy shimx64.efi to /boot/efi/EFI/ubuntu/BOOTX64.EFI
> 3. reboot and change to secure mode in BIOS
This step is wrong. After copying LockDown.efi to /boot/efi, you next need
to *boot* LockDown.efi from the firmware while in setup mode. LockDown.efi
handles the process of configuring the firmware's SecureBoot support to
include the key used for signing this shim binary, so that you can do a true
SecureBoot boot with a test binary.
After running LockDown.efi, you should be able to boot shimx64.efi in Secure
Boot mode without a security violation.
Hi Franz,
On Fri, Jul 05, 2013 at 09:07:13AM -0000, Franz Hsieh wrote:
> Please help me check if my steps are correct.
> note: The platform runs Ubuntu-12.04.2 for ASUS image.
> <BOOT the platform to non-secure mode> EFI/ubuntu/ BOOTX64. EFI
> 1. copy LockDown.efi to /boot/efi/ <EFI partition mount point>
> 2. copy shimx64.efi to /boot/efi/
> 3. reboot and change to secure mode in BIOS
This step is wrong. After copying LockDown.efi to /boot/efi, you next need
to *boot* LockDown.efi from the firmware while in setup mode. LockDown.efi
handles the process of configuring the firmware's SecureBoot support to
include the key used for signing this shim binary, so that you can do a true
SecureBoot boot with a test binary.
After running LockDown.efi, you should be able to boot shimx64.efi in Secure
Boot mode without a security violation.