01-02-2019 02:02 AM
I have a Thinkpad E585 and want to install my own secure boot keys.
I successfully put the device in Setup Mode and cleared all secure boot keys. I can verify, all keys including the PK are erased.
Now, I can install new dbx, db key database and I can install my KEK key.
But I simply cannot install my PK key. The PK is known to be good and works in different machines very well.
When trying to write the PK key, I get a security violation error.
As I said, I can very well install all other keys, the dbx, db and KEK. Just not the PK.
The PK is self signed and known to work in other devices.
The E585 has the latest BIOS 1.48
Would be nice if anyone has a hint!
With Google I found another guy who obviously had the same issue with a Think Center device after a BIOS update he couldn´t write the PK key. But there was no solution mentioned.
Solved! Go to Solution.
01-06-2019 09:27 AM
Thank you for replying.
I can now confirm, it is very well possible to upload custom keys, including the PK using Microsoft tools.
I did not use the Microsoft tools, I used the Linux tool chain with efi-updatevar and KeyTool.efi. Obviously the Linux tools cannot provide the PK in a format, Thinkpads expect it to be. The Linux tools provide matching KEK and db, but not PK for Thinkpads.
I want to give some hint, if other Linux users stumble across the same issue:
1.) You can install custom KEK, db and dbx using efi-updatevar or KeyTool.efi. You cannot install a custom PK with these tools.
2.) You require the Microsoft tool chain to install your custom PK
3.) Create your PK as usual with openssl.. Store the timestamp data and GUID in a separate file, you need them later.
4.) Look at the HP Secure-Boot Customization Guide at http://h10032.www1.hp.com/ctg/Manual/c05649759
5.) Do NOT download the Windows SDK from the link given in the HP guide, this provides an outdated copy of signtool.exe
6.) Go to Google and look for a current version of the Windows SDK for Windows 10. The SDK comes with a net installer asking for the desired packages to install. You do not need to install the complete SDK, you can skip most packages. I can´t tell which package contained the signtool.exe, but package names may give a hint.
7.) A current version of signtool.exe has around 400k size, outdated versions are much smaller. Search your hard drive for signtool.exe, by default it is not in your PATH variable after installing the SDK. Copy it to C:\Windows\System32\
8.) When you follow the HP guide, the end result will be a file named PK_NewKey_Import_PK.bin you can rename that to PK_NewKey_Import_PK.auth and upload it using KeyTool.efi.
9.) Before uploading clear all secure-boot variables in the BIOS
10.) To do all steps in the guide you will need the precise time stamp of your openssl created keys. If you do not have them, create new keys. Openssl outputs the timestamp during the procedures.
11.) Before doing all steps, backup the Lenovo keys first, especially the db. This contains the keys needed to start Windows and to execute BIOS updates. You can use efi-readvar to make this backup. Type efi-readvar -v db -o lenovo.db to backup the Lenovo db. You can write it back later to db in Setup Mode.
01-08-2019 01:08 AM
Imprtant News for Linux Users with secure-boot
efitools 1.9.1 just was released.
It has a new --engine switch for users who have issues with uploading their PK.
The new version should now work with Thinpads.
No need to use the Windows tools any more. Hopefully.