Hi there! I already searched before asking
Please explain about properly handling of keys/signatures (for secure boot) if I want to install Clear Linux (desktop version from USB-stick, created from your officials .iso) as entire/monopoly OS and I want to maximize to protect it.
I need for step-by-step instruction.
My thoughts about it:
- Download official .iso image and check SHA-sum
- Make a bootable USB-stick from that .iso
- Plug USB-stick into target PC (when powered off).
- Power on and enter to BIOS
- Go to Secure Boot section:
5.1 Secure boot: enabled
5.2 Secure boot: custom (customization mode)
5.3 Go to “key management” <- help me: what should be done?
In my case, I’m dealing with AMI (American Megatrends. Inc) motherboard with Intel CPU,GPU.
I have 6 different types of Secure Boot variables in BIOS:
Type Keys KeySource
-----------------------------------------
PK (Platform key) 1 Test (AMI)
Key Exchange Keys 1 Factory
Authorized Signatures 2 Factory
Forbidden Signatures 77 Factory
Authorized TimeStamps 0 No Keys
OsRecovery Signatures 0 No Keys
And I’ve these menu options for:
> Factory Key Provision: Enabled
> Restore Factory Keys
> Export Secure Boot variables
> Enroll Efi Image
> Remove 'UEFI CA' from DB
> Restore DB defaults
My thoughts:
I can choose > Enroll Efi Image < and select (from USB-stick) files:
<EFI>
<org.clearlinux>
kernel-org.clearlinux.native.5.4.13-895
loaderx64.efi
bootloaderx64.efi
<loader>
Each of these three files adds a key to Authorized Signatures section of Secure Boot variables. Sure, when the kernel is updated I should manually add new kernel signature in BIOS by the same way.
What I want? I want to hardening with using Intel/ClearLinux keys/signs and remove all Microsoft and other keys (CA may be) as possible.
And I have a number of questions:
- Should I add all three files (from USB-stick) or just some?
- What can/should I remove from defaults keys/signs and what should I leave?
Thanx for any explain.