| ▲ | mhitza 5 hours ago | ||||||||||||||||||||||
Is it possible to un-enroll the Microsoft certificates, and just trust the efi shim? | |||||||||||||||||||||||
| ▲ | NekkoDroid 5 hours ago | parent | next [-] | ||||||||||||||||||||||
> Is it possible to un-enroll the Microslop certificates Technically yes, with a massive fucking asterisk: Some option-ROM are signed with the MS certs and if your Motherboard doesn't support not loading those (whether needed or not) you will not be able to sometimes even POST. | |||||||||||||||||||||||
| ▲ | bri3d 5 hours ago | parent | prev [-] | ||||||||||||||||||||||
With almost all modern motherboard firmware you can enter Setup mode and use KeyTool to configure the trust store however you want, starting from enrolling a user PK (Platform Key) upwards. It’s generally a lot more secure to avoid the use of any shims (since they leave you vulnerable to what happened in this article) and just build a UEFI Kernel Image and sign that. Some systems need third party firmware to reach the OS, and this can get a bit more complicated since those modules need to load with the new user keys, but overall what you are asking is generally possible. | |||||||||||||||||||||||
| |||||||||||||||||||||||