Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

ThinkPad NotebooksThinkPad: X Series Laptops
All Forum Topics
Options

7 Posts

05-01-2020

Ukraine

6 Signins

45 Page Views

  • Posts: 7
  • Registered: ‎05-01-2020
  • Location: Ukraine
  • Views: 45
  • Message 1 of 9

Can't upload own PK for SecureBoot on ThinkPad X260

2020-07-01, 13:06 PM

Hi All,

 

My environment is

===================

BIOS R02ET73W (1.46 ) 01/08/2020

 

Kubuntu 20.04 (5.4.0-28-generic)

Latest efitools: http://ftp.ua.debian.org/debian/pool/main/e/efitools/efitools_1.9.2-1_amd64.deb

 

Windows 10 2004

Windows 10 SDK (10.0.19041.0)

===================

 

I have an issue with SecureBoot setup. I can't write my custom PK cert into UEFI variables (DB and KEK are wrote successfully)

 

For Linux I use this guide: https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed-linux-and-initrd

The error I get is:

===================

root@tiguan:# efi-updatevar -f ./tiguan-pk-signature.auth PK

Failed to update PK: Invalid argument

 

KeyTool.efi - Error 26 “Security Violation”.

===================

 

For Win10  this guides: 

- http://h10032.www1.hp.com/ctg/Manual/c05649759

- https://forums.lenovo.com/t5/ThinkPad-11e-Windows-13-E-and-Edge-series-Laptops/Cannot-install-custom-secure-boot-PK-platform-key/m-p/4318378

Error is quite similar:

===================

PS D:> Set-SecureBootUEFI `

>>                    -Name PK `

>>                    -ContentFilePath . ouareg-pk-signature_siglist.bin `

>>                    -SignedFilePath  . ouareg-pk-signature_siglist_serialization.bin.p7 `

>>                    -Time $DATE_PK

Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022

At line:1 char:1

+ Set-SecureBootUEFI `

+ ~~~~~~~~~~~~~~~~~~~~

   + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccesception

   + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

===================

 

I suspect that the BIOS/UEFI firmware is bugged somehow.

 

Any help appreciated.

Reply
Options

7 Posts

05-01-2020

Ukraine

6 Signins

45 Page Views

  • Posts: 7
  • Registered: ‎05-01-2020
  • Location: Ukraine
  • Views: 45
  • Message 2 of 9

Re:Can't upload own PK for SecureBoot on ThinkPad X260

2020-11-14, 15:08 PM

I have recently updated to latest BIOS:

=====================

  Package      BIOS  (BIOS ID)   ECP   (ECP ID)      Rev.  Issue Date 

 ---------    ----------------  ----------------    ----  ---------------  

1.47         1.47  (R02ET74W)  1.16  (R02HT33W)    01    2020/09/24

=====================

 

And tried this ( https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00068482en_us ) guide step-by-step. Issue is the same: Can't write PK using any of known means.

=====================

Set-SecureBootUEFI `

>>                    -Name PK `

>>                    -ContentFilePath . ouareg-pk-signature_siglist.bin `

>>                    -SignedFilePath  . ouareg-pk-signature_siglist_serialization.bin.p7 `

>>                    -Time $DATE_PK

Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022

=====================

 

Lenovo staff, any help or support will be appreciated.

Reply
Options

6940 Posts

10-29-2009

United States of America

17813 Signins

166187 Page Views

  • Posts: 6940
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 166187
  • Message 3 of 9

Re:Can't upload own PK for SecureBoot on ThinkPad X260

2020-11-16, 14:40 PM

Did you put Secure Boot into Setup mode first?

Reply
Options

7 Posts

05-01-2020

Ukraine

6 Signins

45 Page Views

  • Posts: 7
  • Registered: ‎05-01-2020
  • Location: Ukraine
  • Views: 45
  • Message 4 of 9

Re:Can't upload own PK for SecureBoot on ThinkPad X260

2020-11-16, 15:46 PM

Hi,

 

Yes sure, I have successfully flash costom KEK and DB keys, but once I try to flash PK, error appears.

Reply
Options

6940 Posts

10-29-2009

United States of America

17813 Signins

166187 Page Views

  • Posts: 6940
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 166187
  • Message 5 of 9

Re:Can't upload own PK for SecureBoot on ThinkPad X260

2020-11-16, 16:05 PM

I think it's an issue with the linux tools, I know the Windows tools work.  See another thread.  

https://forums.lenovo.com/t5/ThinkPad-11e-Windows-13-E-and-Edge-series-Laptops/Cannot-install-custom-secure-boot-PK-platform-key/m-p/4318378

 

Anyway, I don't have any other advice for you.

Reply
Options

7 Posts

05-01-2020

Ukraine

6 Signins

45 Page Views

  • Posts: 7
  • Registered: ‎05-01-2020
  • Location: Ukraine
  • Views: 45
  • Message 6 of 9

Re:Can't upload own PK for SecureBoot on ThinkPad X260

2020-11-22, 15:52 PM

HI,

 

I have tried both Linux(sign-efi-sig-list and sbvarsign) / Windows tools, almost the same behavior PK can't be wrote due to security related violation.

For Windows I have use this guide https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00068482en_us

 

It seems that current UEFI implementation for X260 is buggy :(

Reply
Options

7 Posts

05-01-2020

Ukraine

6 Signins

45 Page Views

  • Posts: 7
  • Registered: ‎05-01-2020
  • Location: Ukraine
  • Views: 45
  • Message 7 of 9

Re:Can't upload own PK for SecureBoot on ThinkPad X260

2020-11-22, 15:54 PM

Do you have any X260 around to check this guide https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00068482en_us ?

Reply
Options

6940 Posts

10-29-2009

United States of America

17813 Signins

166187 Page Views

  • Posts: 6940
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 166187
  • Message 8 of 9

Re:Can't upload own PK for SecureBoot on ThinkPad X260

2020-11-30, 19:30 PM

I don't have X260, but I do have T460p which comes from same generation so it should behave same way.

In my first test, I did "Reset to Setup Mode" and then installing my keys failed with error 0xC0000022 - incorrect authentication data.

In my next test, I did "Clear All Secure Boot Keys" and then installing my keys worked.

So I think the bug on T460s (and probably same as X260) is that "Reset to Setup Mode" doesn't really work and you have to do "Clear All Secure Boot Keys" instead.  Can you confirm it?

I also tested X270, in this case, "Reset to Setup Mode" is working OK.

Reply
Options

7 Posts

05-01-2020

Ukraine

6 Signins

45 Page Views

  • Posts: 7
  • Registered: ‎05-01-2020
  • Location: Ukraine
  • Views: 45
  • Message 9 of 9

Re:Can't upload own PK for SecureBoot on ThinkPad X260

2020-12-19, 16:29 PM

Hi!

I just have time to check your reply, but unfortunately I am still can't manage to upload PK using Windows 10 neither after only "Reset to Setup Mode"  nor after only "Clear All Secure Boot Keys".

 

Still getting "Incorrect authentication data: 0xC0000022" error:

 

-----------------------------------------------------------------------------------------------

PS D:\> Set-SecureBootUEFI `
>>                    -Name PK `
>>                    -ContentFilePath .\touareg-pk-signature_siglist.bin `
>>                    -SignedFilePath  .\touareg-pk-signature_siglist_serialization.bin.p7 `
>>                    -Time $DATE_PK
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At line:1 char:1
+ Set-SecureBootUEFI `
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccesception
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

-----------------------------------------------------------------------------------------------

 

Similar error(about permission violation) appears while trying to write PK using kUbuntu 20.04 Linux.

 

Are there some else methods we can test? or maybe you can get some X260 around to reproduce my case?

 

 

 

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms

Most Liked Authors

(Last 7 days)

View All