Hi there! I already searched before asking
Please explain about properly handling of keys/signatures (for secure boot) if I want to install Clear Linux (desktop version from USB-stick, created from your officials .iso) as entire/monopoly OS and I want to maximize to protect it.
I need for step-by-step instruction.
My thoughts about it:
- Download official .iso image and check SHA-sum
- Make a bootable USB-stick from that .iso
- Plug USB-stick into target PC (when powered off).
- Power on and enter to BIOS
- Go to Secure Boot section:
5.1 Secure boot: enabled
5.2 Secure boot: custom (customization mode)
5.3 Go to “key management” <- help me: what should be done?
In my case, I’m dealing with AMI (American Megatrends. Inc) motherboard with Intel CPU,GPU.
I have 6 different types of Secure Boot variables in BIOS:
Type Keys KeySource ----------------------------------------- PK (Platform key) 1 Test (AMI) Key Exchange Keys 1 Factory Authorized Signatures 2 Factory Forbidden Signatures 77 Factory Authorized TimeStamps 0 No Keys OsRecovery Signatures 0 No Keys
And I’ve these menu options for:
> Factory Key Provision: Enabled > Restore Factory Keys > Export Secure Boot variables > Enroll Efi Image > Remove 'UEFI CA' from DB > Restore DB defaults
I can choose
> Enroll Efi Image < and select (from USB-stick) files:
<EFI> <org.clearlinux> kernel-org.clearlinux.native.5.4.13-895 loaderx64.efi bootloaderx64.efi <loader>
Each of these three files adds a key to
Authorized Signatures section of Secure Boot variables. Sure, when the kernel is updated I should manually add new kernel signature in BIOS by the same way.
What I want? I want to hardening with using Intel/ClearLinux keys/signs and remove all Microsoft and other keys (CA may be) as possible.
And I have a number of questions:
- Should I add all three files (from USB-stick) or just some?
- What can/should I remove from defaults keys/signs and what should I leave?
Thanx for any explain.