English Community

ThinkPad NotebooksThinkPad: 11e (Windows), 13, E and Edge series Laptops
All Forum Topics
Options

29 Posts

01-02-2019

DE

25 Signins

184 Page Views

  • Posts: 29
  • Registered: ‎01-02-2019
  • Location: DE
  • Views: 184
  • Message 1 of 5

Cannot install custom secure boot PK platform key

2019-01-02, 10:02 AM

Hi there,

I have a Thinkpad E585 and want to install my own secure boot keys.

 

I successfully put the device in Setup Mode and cleared all secure boot keys. I can verify, all keys including the PK are erased.

 

Now, I can install new dbx, db key database and I can install my KEK key.

 

But I simply cannot install my PK key. The PK is known to be good and works in different machines very well.

When trying to write the PK key, I get a security violation error.

As I said, I can very well install all other keys, the dbx, db and KEK. Just not the PK.

 

The PK is self signed and known to work in other devices.

 

The E585 has the latest BIOS 1.48

 

Would be nice if anyone has a hint!

With Google I found another guy who obviously had the same issue with a Think Center device after a BIOS update he couldn´t write the PK key. But there was no solution mentioned.

 

Solved! See the solution
Reply
Options

6509 Posts

10-29-2009

NC

17649 Signins

161953 Page Views

  • Posts: 6509
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 161953
  • Message 2 of 5

Re: Cannot install custom secure boot PK platform key

2019-01-03, 18:50 PM

I just tested on ThinkPad E585 and had no problem to do this, using the PowerShell command (with my own PK) as shown below:

 

0 person found this solution to be helpful.

This helped me too

Reply
Options

29 Posts

01-02-2019

DE

25 Signins

184 Page Views

  • Posts: 29
  • Registered: ‎01-02-2019
  • Location: DE
  • Views: 184
  • Message 3 of 5

Re: Cannot install custom secure boot PK platform key

2019-01-06, 17:27 PM

Thank you for replying.

I can now confirm, it is very well possible to upload custom keys, including the PK using Microsoft tools.

 

I did not use the Microsoft tools, I used the Linux tool chain with efi-updatevar and KeyTool.efi. Obviously the Linux tools cannot provide the PK in a format, Thinkpads expect it to be. The Linux tools provide matching KEK and db, but not PK for Thinkpads.

 

I want to give some hint, if other Linux users stumble across the same issue:

 

 

1.) You can install custom KEK, db and dbx using efi-updatevar or KeyTool.efi. You cannot install a custom PK with these tools.

 

2.) You require the Microsoft tool chain to install your custom PK

 

3.) Create your PK as usual with openssl.. Store the timestamp data and GUID in a separate file, you need them later.

 

4.) Look at the HP Secure-Boot Customization Guide at http://h10032.www1.hp.com/ctg/Manual/c05649759

 

5.) Do NOT download the Windows SDK from the link given in the HP guide, this provides an outdated copy of signtool.exe

 

6.) Go to Google and look for a current version of the Windows SDK for Windows 10. The SDK comes with a net installer asking for the desired packages to install. You do not need to install the complete SDK, you can skip most packages. I can´t tell which package contained the signtool.exe, but package names may give a hint.

 

7.) A current version of signtool.exe has around 400k size, outdated versions are much smaller. Search your hard drive for signtool.exe, by default it is not in your PATH variable after installing the SDK. Copy it to C:\Windows\System32\

 

8.) When you follow the HP guide, the end result will be a file named PK_NewKey_Import_PK.bin you can rename that to PK_NewKey_Import_PK.auth and upload it using KeyTool.efi.

 

9.) Before uploading clear all secure-boot variables in the BIOS

 

10.) To do all steps in the guide you will need the precise time stamp of your openssl created keys. If you do not have them, create new keys. Openssl outputs the timestamp during the procedures.

 

11.) Before doing all steps, backup the Lenovo keys first, especially the db. This contains the keys needed to start Windows and to execute BIOS updates. You can use efi-readvar to make this backup. Type efi-readvar -v db -o lenovo.db to backup the Lenovo db. You can write it back later to db in Setup Mode.

 

 

Reply
Options

29 Posts

01-02-2019

DE

25 Signins

184 Page Views

  • Posts: 29
  • Registered: ‎01-02-2019
  • Location: DE
  • Views: 184
  • Message 4 of 5

Re: Cannot install custom secure boot PK platform key

2019-01-08, 9:08 AM

Imprtant News for Linux Users with secure-boot

 

efitools 1.9.1 just was released.

It has a new --engine switch for users who have issues with uploading their PK.

The new version should now work with Thinpads.

No need to use the Windows tools any more. Hopefully.

 

Reply
Options

2 Posts

05-01-2020

UA

2 Signins

20 Page Views

  • Posts: 2
  • Registered: ‎05-01-2020
  • Location: UA
  • Views: 20
  • Message 5 of 5

Re:Cannot install custom secure boot PK platform key

2020-05-01, 16:22 PM

@ Fernseher wrote:
 

 

Imprtant News for Linux Users with secure-boot

 

efitools 1.9.1 just was released.
 

It has a new --engine switch for users who have issues with uploading their PK.

The new version should now work with Thinpads.

No need to use the Windows tools any more. Hopefully.

 

 

Hi All,

 

I am also failed to upload PK(db and KEK are uploaded successfully) to My ThinkPad X260 :(

 

My environment is the following:

 

BIOS R02ET73W (1.46 ) 01/08/2020

Kubuntu 20.04 (5.4.0-28-generic)

Latest efitools: http://ftp.ua.debian.org/debian/pool/main/e/efitools/efitools_1.9.2-1_amd64.deb

 

==================

root@tiguan:# efi-updatevar -f ./tiguan-pk-signature.auth PK

Failed to update PK: Invalid argument

 

KeyTool.efi - Error 26 “Security Violation”.

==================

 

Some info regarding the root of such behavior was described here https://blog.hansenpartnership.com/uefi-secure-boot/#comment-123323 and it seems that "--engine" is not related to issue from this topic at all. 

efitools's author said that in 1.9.1 he tried to add 'SignedData' key format to existing 'full pkcs7' however it seems not so helpful for ThinkPad E585/X260 case.

 

May be someone has overcome this issue on Linux? Because using Win tools in order to add PK sounds weird in context of SecureBoot.

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete