How to properly install Clear Linux in secure boot mode/uefi (keys/signs)?

Hi there! I already searched before asking

Please explain about properly handling of keys/signatures (for secure boot) if I want to install Clear Linux (desktop version from USB-stick, created from your officials .iso) as entire/monopoly OS and I want to maximize to protect it.

I need for step-by-step instruction.

My thoughts about it:

  1. Download official .iso image and check SHA-sum
  2. Make a bootable USB-stick from that .iso
  3. Plug USB-stick into target PC (when powered off).
  4. Power on and enter to BIOS
  5. Go to Secure Boot section:
    5.1 Secure boot: enabled
    5.2 Secure boot: custom (customization mode)
    5.3 Go to “key management” <- help me: what should be done?

In my case, I’m dealing with AMI (American Megatrends. Inc) motherboard with Intel CPU,GPU.

I have 6 different types of Secure Boot variables in BIOS:

Type                  Keys   KeySource
PK (Platform key)       1    Test (AMI)
Key Exchange Keys       1    Factory
Authorized Signatures   2    Factory
Forbidden Signatures   77    Factory
Authorized TimeStamps   0    No Keys
OsRecovery Signatures   0    No Keys

And I’ve these menu options for:

> Factory Key Provision: Enabled

> Restore Factory Keys
> Export Secure Boot variables
> Enroll Efi Image

> Remove 'UEFI CA' from DB
> Restore DB defaults

My thoughts:

I can choose > Enroll Efi Image < and select (from USB-stick) files:


Each of these three files adds a key to Authorized Signatures section of Secure Boot variables. Sure, when the kernel is updated I should manually add new kernel signature in BIOS by the same way.

What I want? I want to hardening with using Intel/ClearLinux keys/signs and remove all Microsoft and other keys (CA may be) as possible.

And I have a number of questions:

  • Should I add all three files (from USB-stick) or just some?
  • What can/should I remove from defaults keys/signs and what should I leave?

Thanx for any explain.