raito/lanzaboote
0
0
Fork 0
Code Issues 45 Pull requests 6 Projects Releases 6 Packages Wiki Activity Actions

Invalid signature #447

New issue
Open
opened 2025-04-02 13:53:49 +00:00 by Anninzy · 8 comments
Anninzy commented 2025-04-02 13:53:49 +00:00 (Migrated from github.com)
Copy link

I followed the quickstart up until this point:
https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md#entering-secure-boot-setup-mode

After enabling secure boot, attempting to boot leads to

Secure Boot Violation
Invalid signature detected. Check Secure Boot Policy in Setup

Selecting OK on this prompt boots to Windows

Disabling secure boot lets me boot into NixOS again

I followed the quickstart up until this point: https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md#entering-secure-boot-setup-mode After enabling secure boot, attempting to boot leads to ``` Secure Boot Violation Invalid signature detected. Check Secure Boot Policy in Setup ``` Selecting OK on this prompt boots to Windows Disabling secure boot lets me boot into NixOS again
kuflierl commented 2025-04-05 00:15:15 +00:00 (Migrated from github.com)
Copy link

What does sbctl status say?

What does `sbctl status` say?
Anninzy commented 2025-04-05 07:54:35 +00:00 (Migrated from github.com)
Copy link
Installed:	✓ sbctl is installed
Owner GUID:	3751042f-e4d5-43b7-93a5-795c0b10b79d
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft builtin-db builtin-KEK builtin-PK
``` Installed: ✓ sbctl is installed Owner GUID: 3751042f-e4d5-43b7-93a5-795c0b10b79d Setup Mode: ✓ Disabled Secure Boot: ✗ Disabled Vendor Keys: microsoft builtin-db builtin-KEK builtin-PK ```
kuflierl commented 2025-04-06 02:09:58 +00:00 (Migrated from github.com)
Copy link
Installed:	✓ sbctl is installed
Owner GUID:	3751042f-e4d5-43b7-93a5-795c0b10b79d
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft builtin-db builtin-KEK builtin-PK

looks good, you enrolled the keys just fine. what does sudo sbctl verify say tho?

> ``` > Installed: ✓ sbctl is installed > Owner GUID: 3751042f-e4d5-43b7-93a5-795c0b10b79d > Setup Mode: ✓ Disabled > Secure Boot: ✗ Disabled > Vendor Keys: microsoft builtin-db builtin-KEK builtin-PK > ``` looks good, you enrolled the keys just fine. what does `sudo sbctl verify` say tho?
Anninzy commented 2025-04-06 08:03:36 +00:00 (Migrated from github.com)
Copy link

That gives


✓ /boot/EFI/Boot/bootx64.efi is signed
✓ /boot/EFI/Linux/nixos-generation-115-pqfwc4j35ygmm5ksl4n2dcwcbrcv3davd47bo2yne5zj2ses6emq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-116-6aedznfg5smiyd2tyrrtzhjyvjujqqm4h3yspvpelstzghh2xvyq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-117-rediefxa5wu34bykbmhudh2onp3qbss7c6wuuj3ovaib3vyblrna.efi is signed
✓ /boot/EFI/Linux/nixos-generation-118-t6sphlvwfqyr3jnm5evwj4f5ambtkaunzyjx6wmww74cbclkwkzq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-119-sdp3l2sjhizj7z55zqqhoxo55erjm2bk36hleznspztdjwgqrmuq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-120-c76siqzagh6fkn6jvfhixezeebpn2hh3gdxqko3b53yoqsmwy6za.efi is signed
✗ /boot/EFI/Microsoft/Boot/Resources/bootres.dll is not signed
✗ /boot/EFI/Microsoft/Boot/Resources/en-US/bootres.dll.mui is not signed
✗ /boot/EFI/Microsoft/Boot/SecureBootRecovery.efi is not signed
✗ /boot/EFI/Microsoft/Boot/bg-BG/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/bg-BG/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/bootmgfw.efi is not signed
✗ /boot/EFI/Microsoft/Boot/bootmgr.efi is not signed
✗ /boot/EFI/Microsoft/Boot/cs-CZ/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/cs-CZ/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/cs-CZ/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/da-DK/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/da-DK/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/da-DK/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/de-DE/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/de-DE/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/de-DE/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/el-GR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/el-GR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/el-GR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-GB/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-GB/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-US/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-US/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-US/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-ES/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-ES/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-ES/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-MX/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-MX/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/et-EE/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/et-EE/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fi-FI/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fi-FI/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fi-FI/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-CA/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-CA/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-FR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-FR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-FR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hr-HR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hr-HR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hu-HU/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hu-HU/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hu-HU/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/it-IT/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/it-IT/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/it-IT/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ja-JP/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ja-JP/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ja-JP/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_10df.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_10ec.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_14e4.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_15b3.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_1969.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_19a2.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_1af4.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_8086.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_07_1415.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_0C_8086.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kdnet_uart16550.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kdstub.dll is not signed
✗ /boot/EFI/Microsoft/Boot/ko-KR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ko-KR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ko-KR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/lt-LT/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/lt-LT/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/lv-LV/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/lv-LV/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/memtest.efi is not signed
✗ /boot/EFI/Microsoft/Boot/nb-NO/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nb-NO/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nb-NO/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nl-NL/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nl-NL/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nl-NL/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pl-PL/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pl-PL/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pl-PL/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-BR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-BR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-BR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-PT/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-PT/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-PT/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/qps-ploc/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ro-RO/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ro-RO/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ru-RU/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ru-RU/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ru-RU/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sk-SK/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sk-SK/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sl-SI/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sl-SI/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sr-Latn-RS/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sr-Latn-RS/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sv-SE/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sv-SE/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sv-SE/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/tr-TR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/tr-TR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/tr-TR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/uk-UA/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/uk-UA/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-CN/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-CN/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-CN/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-TW/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-TW/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-TW/memtest.efi.mui is not signed
✗ /boot/EFI/nixos/kernel-6.12.21-cmcjqatqft6ng3fzjrqiwcupsvkai26ep2i4q6vnt4x65ip5nb6a.efi is not signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
That gives ``` ✓ /boot/EFI/Boot/bootx64.efi is signed ✓ /boot/EFI/Linux/nixos-generation-115-pqfwc4j35ygmm5ksl4n2dcwcbrcv3davd47bo2yne5zj2ses6emq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-116-6aedznfg5smiyd2tyrrtzhjyvjujqqm4h3yspvpelstzghh2xvyq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-117-rediefxa5wu34bykbmhudh2onp3qbss7c6wuuj3ovaib3vyblrna.efi is signed ✓ /boot/EFI/Linux/nixos-generation-118-t6sphlvwfqyr3jnm5evwj4f5ambtkaunzyjx6wmww74cbclkwkzq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-119-sdp3l2sjhizj7z55zqqhoxo55erjm2bk36hleznspztdjwgqrmuq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-120-c76siqzagh6fkn6jvfhixezeebpn2hh3gdxqko3b53yoqsmwy6za.efi is signed ✗ /boot/EFI/Microsoft/Boot/Resources/bootres.dll is not signed ✗ /boot/EFI/Microsoft/Boot/Resources/en-US/bootres.dll.mui is not signed ✗ /boot/EFI/Microsoft/Boot/SecureBootRecovery.efi is not signed ✗ /boot/EFI/Microsoft/Boot/bg-BG/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/bg-BG/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/bootmgfw.efi is not signed ✗ /boot/EFI/Microsoft/Boot/bootmgr.efi is not signed ✗ /boot/EFI/Microsoft/Boot/cs-CZ/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/cs-CZ/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/cs-CZ/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/da-DK/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/da-DK/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/da-DK/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/de-DE/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/de-DE/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/de-DE/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/el-GR/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/el-GR/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/el-GR/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/en-GB/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/en-GB/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/en-US/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/en-US/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/en-US/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/es-ES/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/es-ES/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/es-ES/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/es-MX/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/es-MX/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/et-EE/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/et-EE/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/fi-FI/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/fi-FI/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/fi-FI/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/fr-CA/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/fr-CA/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/fr-FR/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/fr-FR/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/fr-FR/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/hr-HR/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/hr-HR/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/hu-HU/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/hu-HU/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/hu-HU/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/it-IT/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/it-IT/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/it-IT/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ja-JP/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ja-JP/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ja-JP/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/kd_02_10df.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kd_02_10ec.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kd_02_14e4.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kd_02_15b3.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kd_02_1969.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kd_02_19a2.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kd_02_1af4.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kd_02_8086.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kd_07_1415.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kd_0C_8086.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kdnet_uart16550.dll is not signed ✗ /boot/EFI/Microsoft/Boot/kdstub.dll is not signed ✗ /boot/EFI/Microsoft/Boot/ko-KR/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ko-KR/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ko-KR/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/lt-LT/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/lt-LT/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/lv-LV/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/lv-LV/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/memtest.efi is not signed ✗ /boot/EFI/Microsoft/Boot/nb-NO/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/nb-NO/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/nb-NO/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/nl-NL/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/nl-NL/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/nl-NL/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/pl-PL/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/pl-PL/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/pl-PL/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/pt-BR/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/pt-BR/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/pt-BR/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/pt-PT/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/pt-PT/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/pt-PT/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/qps-ploc/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ro-RO/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ro-RO/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ru-RU/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ru-RU/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/ru-RU/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/sk-SK/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/sk-SK/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/sl-SI/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/sl-SI/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/sr-Latn-RS/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/sr-Latn-RS/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/sv-SE/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/sv-SE/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/sv-SE/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/tr-TR/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/tr-TR/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/tr-TR/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/uk-UA/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/uk-UA/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/zh-CN/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/zh-CN/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/zh-CN/memtest.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/zh-TW/bootmgfw.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/zh-TW/bootmgr.efi.mui is not signed ✗ /boot/EFI/Microsoft/Boot/zh-TW/memtest.efi.mui is not signed ✗ /boot/EFI/nixos/kernel-6.12.21-cmcjqatqft6ng3fzjrqiwcupsvkai26ep2i4q6vnt4x65ip5nb6a.efi is not signed ✓ /boot/EFI/systemd/systemd-bootx64.efi is signed ```
wtestcase commented 2025-04-23 19:01:09 +00:00 (Migrated from github.com)
Copy link

Same here. I'm on an Acer Nitro N50-620. My BIOS doesn't have an option to enter setup mode, the only key management option is to delete all keys, and I can't manually delete the PK from BIOS, I've tried with efitools' efi-updatevar, but that didn't work either.

Same here. I'm on an Acer Nitro N50-620. My BIOS doesn't have an option to enter setup mode, the only key management option is to delete all keys, and I can't manually delete the PK from BIOS, I've tried with efitools' `efi-updatevar`, but that didn't work either.
kuflierl commented 2025-05-26 20:18:30 +00:00 (Migrated from github.com)
Copy link

Same here. I'm on an Acer Nitro N50-620. My BIOS doesn't have an option to enter setup mode, the only key management option is to delete all keys, and I can't manually delete the PK from BIOS, I've tried with efitools' efi-updatevar, but that didn't work either.

Deleting all keys "should" be fine as long as you:

  1. don't have anything important on your tpm
  2. update your Secure Boot Revocation List after the setup
  3. handle vendor specific firmware signing (sbctl enroll microsoft or enroll tpm should be fine)

If you do, do at your own risk. I did this and it worked just fine

> Same here. I'm on an Acer Nitro N50-620. My BIOS doesn't have an option to enter setup mode, the only key management option is to delete all keys, and I can't manually delete the PK from BIOS, I've tried with efitools' `efi-updatevar`, but that didn't work either. Deleting all keys "should" be fine as long as you: 1. don't have anything important on your tpm 2. update your Secure Boot Revocation List after the setup 3. handle vendor specific firmware signing (sbctl enroll microsoft or enroll tpm should be fine) If you do, do at your own risk. I did this and it worked just fine
M0NsTeRRR commented 2025-06-10 19:38:52 +00:00 (Migrated from github.com)
Copy link

I have exactly the same issue with an ASUS PRIME-Z790-P (firmware version 1820). I successfully enrolled the key in setup mode, but booting with 'Windows UEFI Mode' and in 'Standard mode' gives me a secure boot violation due to an invalid signature (and I can boot on windows too).

sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     459daabe-2fc5-4726-aca8-275edb4cf9c9
Setup Mode:     ✓ Disabled
Secure Boot:    ✗ Disabled
Vendor Keys:    microsoft builtin-db builtin-db builtin-db builtin-KEK builtin-PK

sudo sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/Linux/nixos-generation-1-bfpu7q432uswhoxgifwirl3pgo5ffnow6kd6nljpqm7uaeki4isa.efi is signed
✓ /boot/EFI/Linux/nixos-generation-10-5pzd3jptwklcvo2tooy4f2k6j7kw6sdgscsu4zb7wdygiii3xlpq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-11-l3rtlnw42gns736eajcmisodwhb3ruruisxa6olg3crqbk2kzahq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-12-7u7qerykl2wepw6t2vp7fxq63lhk3n7as53zkmqowgmazinigyxq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-13-plipcnge7yuqe5xvynxx7kns4xyqxkm57vr53dtrij33js752mbq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-14-paml234rulsqsj2glo6rzudhzexj6q4k3bodxbasv6jminlrtm3a.efi is signed
✓ /boot/EFI/Linux/nixos-generation-15-pvprw6xp5epkee37bi3fwgdg64wbdkstychpohyz5cbb2ryoyquq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-16-zxl3aytsixlqmiqxwiqfqzrwtihfnvbd673kdfn4tse4myngo6fa.efi is signed
✓ /boot/EFI/Linux/nixos-generation-17-t4cbbxexqyxsdf2kgydjxkpec6lgwrvfb2ks6gxwbr5q6p5eresq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-2-dfijnqmn7lif74cddct56ax3k6fxszhabubiqknze7hlxusikuoq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-3-d4jy4qkqyrn6gw3ohq4yrk7td3yj6lleq4x6msevysniv235baxa.efi is signed
✓ /boot/EFI/Linux/nixos-generation-4-uz3rqz2th5mjxga5sbhc337jhxt7rrlh2fjtxecjpv4oinrbbunq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-5-ffn3yxhc2olqyeglgfrw5tgiq5dymozoasssr6cdzuiefnzti5ua.efi is signed
✓ /boot/EFI/Linux/nixos-generation-6-3f65pwswhoea266perd3jt2te4q7brdyliwnu7nvrtq43lrks7oa.efi is signed
✓ /boot/EFI/Linux/nixos-generation-7-h7o7hbj2qmmf3b55zxxf2w4duh2unq57shm3thnt4hhogswdv7fa.efi is signed
✓ /boot/EFI/Linux/nixos-generation-8-62i26sltgpfyhstuqjpbeerx22brncft2mdm4swyhi6vesr7oaia.efi is signed
✓ /boot/EFI/Linux/nixos-generation-9-sil67m5yah4hf4ipt2fgtz766nizafxepwja42ulit7kjmlihbda.efi is signed
✗ /boot/EFI/nixos/kernel-6.12.31-mro2y6tu7emmih5a2p76nxrrcmwgmha3q4xiv2pp5xopi6pd3fvq.efi is not signed
✗ /boot/EFI/nixos/kernel-6.12.32-htaz3gnvmtgiu6zmkujyrq57imfiqi5dq3zmudnzlgfi3sxcm5oa.efi is not signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
I have exactly the same issue with an ASUS PRIME-Z790-P (firmware version 1820). I successfully enrolled the key in setup mode, but booting with 'Windows UEFI Mode' and in 'Standard mode' gives me a secure boot violation due to an invalid signature (and I can boot on windows too). ``` sbctl status Installed: ✓ sbctl is installed Owner GUID: 459daabe-2fc5-4726-aca8-275edb4cf9c9 Setup Mode: ✓ Disabled Secure Boot: ✗ Disabled Vendor Keys: microsoft builtin-db builtin-db builtin-db builtin-KEK builtin-PK ``` ``` sudo sbctl verify Verifying file database and EFI images in /boot... ✓ /boot/EFI/BOOT/BOOTX64.EFI is signed ✓ /boot/EFI/Linux/nixos-generation-1-bfpu7q432uswhoxgifwirl3pgo5ffnow6kd6nljpqm7uaeki4isa.efi is signed ✓ /boot/EFI/Linux/nixos-generation-10-5pzd3jptwklcvo2tooy4f2k6j7kw6sdgscsu4zb7wdygiii3xlpq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-11-l3rtlnw42gns736eajcmisodwhb3ruruisxa6olg3crqbk2kzahq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-12-7u7qerykl2wepw6t2vp7fxq63lhk3n7as53zkmqowgmazinigyxq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-13-plipcnge7yuqe5xvynxx7kns4xyqxkm57vr53dtrij33js752mbq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-14-paml234rulsqsj2glo6rzudhzexj6q4k3bodxbasv6jminlrtm3a.efi is signed ✓ /boot/EFI/Linux/nixos-generation-15-pvprw6xp5epkee37bi3fwgdg64wbdkstychpohyz5cbb2ryoyquq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-16-zxl3aytsixlqmiqxwiqfqzrwtihfnvbd673kdfn4tse4myngo6fa.efi is signed ✓ /boot/EFI/Linux/nixos-generation-17-t4cbbxexqyxsdf2kgydjxkpec6lgwrvfb2ks6gxwbr5q6p5eresq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-2-dfijnqmn7lif74cddct56ax3k6fxszhabubiqknze7hlxusikuoq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-3-d4jy4qkqyrn6gw3ohq4yrk7td3yj6lleq4x6msevysniv235baxa.efi is signed ✓ /boot/EFI/Linux/nixos-generation-4-uz3rqz2th5mjxga5sbhc337jhxt7rrlh2fjtxecjpv4oinrbbunq.efi is signed ✓ /boot/EFI/Linux/nixos-generation-5-ffn3yxhc2olqyeglgfrw5tgiq5dymozoasssr6cdzuiefnzti5ua.efi is signed ✓ /boot/EFI/Linux/nixos-generation-6-3f65pwswhoea266perd3jt2te4q7brdyliwnu7nvrtq43lrks7oa.efi is signed ✓ /boot/EFI/Linux/nixos-generation-7-h7o7hbj2qmmf3b55zxxf2w4duh2unq57shm3thnt4hhogswdv7fa.efi is signed ✓ /boot/EFI/Linux/nixos-generation-8-62i26sltgpfyhstuqjpbeerx22brncft2mdm4swyhi6vesr7oaia.efi is signed ✓ /boot/EFI/Linux/nixos-generation-9-sil67m5yah4hf4ipt2fgtz766nizafxepwja42ulit7kjmlihbda.efi is signed ✗ /boot/EFI/nixos/kernel-6.12.31-mro2y6tu7emmih5a2p76nxrrcmwgmha3q4xiv2pp5xopi6pd3fvq.efi is not signed ✗ /boot/EFI/nixos/kernel-6.12.32-htaz3gnvmtgiu6zmkujyrq57imfiqi5dq3zmudnzlgfi3sxcm5oa.efi is not signed ✓ /boot/EFI/systemd/systemd-bootx64.efi is signed ```
Xarianne commented 2025-08-03 05:40:18 +00:00 (Migrated from github.com)
Copy link

Deleting all keys "should" be fine as long as you:

  1. don't have anything important on your tpm
  2. update your Secure Boot Revocation List after the setup
  3. handle vendor specific firmware signing (sbctl enroll microsoft or enroll tpm should be fine)

If you do, do at your own risk. I did this and it worked just fine

After updating the revocation list I got a bad shim error, had to reset again. But I'm guessing it will just come back.

> Deleting all keys "should" be fine as long as you: > > 1. don't have anything important on your tpm > 2. update your Secure Boot Revocation List after the setup > 3. handle vendor specific firmware signing (sbctl enroll microsoft or enroll tpm should be fine) > > If you do, do at your own risk. I did this and it worked just fine After updating the revocation list I got a bad shim error, had to reset again. But I'm guessing it will just come back.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
test
qm3ster/patch-1
blitz/npins
enroll-keys
github-actions
systemd-sb-enroll
fix-ci
bump-edk2
global-credentials
signing-client
in-memory-assembling
cpio-packing
uboot
netboot
experiment-sd-addons
insecure-boot
refactor-building
tpm2-pcr-sections
bootsplash
sd-stub-dtb
bzimage-load
configuration-limit-test
boot-file-integrity-investigation
crane-uefi
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
bug

Something isn't working

  
dependency

Issues related to our dependencies

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
question

Further information is requested

  
review-next

   
security

   
stub

   
tool

   
wontfix

This will not be worked on

No labels
bug
dependency
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
review-next
security
stub
tool
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: raito/lanzaboote#447
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?