How to install keys for Secure Boot on ThinkPad X1 3rd gen?

[nagmat84]

I want to enable Secure Boot on a ThinkPad X1 Carbon 3rd gen., but no matter what I do, I always hit a dead-end. I have already setup Secure Boot on two other laptops (which had a more modern UEFI firmware) and I am starting to believe that I might have found a bug in the firmware which actually makes it impossible to install custom signature keys into the NVRAM. I am still hoping that someone has managed to do it and could share the trick.

Model, firmware and version:

Laptop manufacturer: Lenovo
Laptop type: ThinkPad X1 Carbon, 3rd gen., 20BTS08N00
FW manufacturer: Phoenix
FW type: SecureCore for ThinkPad
FW version: 1.34, N14ET56W, 2021-08-31 (latest available version)

Basically, I want to follow the following steps:

1. Create my own PK, KEK(s) and DBK(s)
2. Sign refind.efi (my boot manager), kernels and kernel modules
3. Extract the original OEM keys from the laptop firmware
4. Merge the extracted OEM keys and my own keys into a combined key list
5. Install the combined key list into the NVRAM

Step 1 and 2 are no problem. I have already done that before. I have binary packages ready on my own build server. Likewise, step 4 shouldn't be a problem either if I ever get beyond step 3. Step 3 and 5 are posing problems. However, I might be able to workaround step 3 using another distro than Gentoo.

The laptop firmware supports three settings with two options each.

• "Secure Boot" can be enabled or disabled.
  If Secure Boot is disabled, the EFI variables PK, KEK, db and dbx are not available at all. So Secure Boot must be enabled.
• "Platform Mode" can be "Setup Mode" or "User Mode"
  If the Platform Mode is in Setup Mode, the EFI variables PK, KEK, db and dbx are writable and signature verification is not enforced. In that mode, the FW also allows to boot an unsigned EFI binary. In "User Mode", the EFI variables PK, KEK, db and dbx are read-only. Signature verification is enforced.
• "Secure Boot Mode" can be "Standard Mode" or "Custom Mode"
  This setting is rather implicit. "Standard Mode" means that the default key lists are in place. "Custom Mode" means that the key lists are not the default lists which are shipped with the firmware.

However, I cannot toggle the Platform Mode directly, but only implicitly via three different actions:

• Restore Factory Keys
  This action puts the Platform Mode into User Mode, but also restores the default lists for PK, KEK, db and dbx. After that signature verification is enforced, but also any custom signature key is lost.
• Reset to Setup Mode
  This action puts the Platform Mode into Setup Mode, but also erases the lists PK, KEK, db and dbx. After that signature verification is disabled, but there is also no key left (even the OEMs keys are erased).
• Clear All Secure Boot Keys
  Seems to have the same effect as "Reset To Setup Mode".

Now, for the problem in step #3. In order to be able to extract the OEM keys, I must boot the laptop in Platform Mode "User Mode". This means I need an EFI kernel signed with one of the default Microsoft keys. The UEFI FW does not seem to allow booting an unsigned EFI kernel (with signature verification disabled), but with the keys still being in place for extraction. I downloaded Gentoo minimal installation image and the Gentoo Live image. None of them seems to support a signed EFI kernel. I haven't tried another distro (i.e. Ubuntu) yet. I assume that Ubuntu offers a Ubuntu Live Image with signed EFI kernels. But I am wondering if there is a "Gentoo way" to do it.

Now for the problem in step #5. This is actually the more severe problem. After I had put the Platform Mode into "Setup Mode" I was able to install my own key lists into the empty EFI variables. Now, I somehow need to switch the Platform mode back into "User Mode". Initially, I expected that to happen automatically upon the next boot, when the UEFI firmware recognizes that the key lists are not empty anymore. However, the FW remains in "Setup Mode" and signature verification remains disabled. (I was able to verify that by booting an unsigned EFI binary). The only way to switch back to "User Mode" seems to be via the action "Restore Factory Keys". However, this overwrites my custom key lists with the default ones. (I was able to verify that because I was only able to boot Windows, everything else failed with a "signature violation" from the FW). At this point I am lost in a dead-end. It looks like a vicious circle. This leads to my question: How do I install my custom key lists in Setup Mode and then switch back to User Mode in order to enforce signature verification without loosing my custom key lists?

In case it helps:

Code: Select all

                                 ThinkPad Setup
                                       Security
┌─────────────────────────────────────────────────────┬────────────────────────┐
│               Secure Boot                           │   Item Specific Help   │
├─────────────────────────────────────────────────────┼────────────────────────┤
│                                                     │                        │
│   Secure Boot                 [Enabled]             │ This option is used    │
│                                                     │ to restore all keys    │
│   Platform Mode               User Mode             │ and certificates in    │
│   Secure Boot Mode            Standard Mode         │ Secure Boot databases  │
│                                                     │ for factory defaults.  │
│   Reset to Setup Mode         [Enter]               │ Any customized Secure  │
│   Restore Factory Keys        [Enter]               │ Boot settings will be  │
│   Clear All Secure Boot Keys  [Enter]               │ erased, and the        │
│                                                     │ default Platform Key   │
│                                                     │ will be                │
│                                                     │ re-established along   │
│                                                     │ with the original      │
│                                                     │ signature databases    │
│                                                     │ including certificate  │
│                                                     │ for Microsoft (R)      │
│                                                     │ Windows 8 (R).         │
└─────────────────────────────────────────────────────┴────────────────────────┘
   F1   Help  ↑↓  Select Item  +/-    Change Values      F9   Setup Defaults
   Esc  Exit  ←→  Select Menu  Enter  Select ▶ Sub-Menu  F10  Save and Exit

Code: Select all

                                 ThinkPad Setup
                                       Security
┌─────────────────────────────────────────────────────┬────────────────────────┐
│               Secure Boot                           │   Item Specific Help   │
├─────────────────────────────────────────────────────┼────────────────────────┤
│                                                     │                        │
│   Secure Boot                 [Enabled]             │ This option is used    │
│                                                     │ to clear the current   │
│   Platform Mode               Setup Mode            │ Platform Key and put   │
│   Secure Boot Mode            Custom Mode           │ the system into setup  │
│                                                     │ mode. You can install  │
│   Reset to Setup Mode         [Enter]               │ your own Platform Key  │
│   Restore Factory Keys        [Enter]               │ and customize the      │
│   Clear All Secure Boot Keys  [Enter]               │ Secure Boot            │
│                                                     │ signature databases    │
│                                                     │ in setup mode.         │
│                                                     │                        │
│                                                     │ Secure Boot mode       │
│                                                     │ will be set to custom  │
│                                                     │ mode.                  │
│                                                     │                        │
│                                                     │                        │
└─────────────────────────────────────────────────────┴────────────────────────┘
   F1   Help  ↑↓  Select Item  +/-    Change Values      F9   Setup Defaults
   Esc  Exit  ←→  Select Menu  Enter  Select ▶ Sub-Menu  F10  Save and Exit

[pietinger]

As far as I understand you will need:

Secure Boot + Platform Mode -> "Setup Mode" + Secure Boot Mode -> "Standard Mode"

Are you now able to boot with an unsigned kernel AND then read the keys with:

Code: Select all

# efi-readvar -v PK -o old_PK.esl
# efi-readvar -v KEK -o old_KEK.esl
# efi-readvar -v db -o old_db.esl
# efi-readvar -v dbx -o old_dbx.esl

?

If this is possible you can now add your keys and boot back into UEFI.

I guess you will need now:

Secure Boot + Platform Mode -> "Setup Mode" + Secure Boot Mode -> "Custom Mode"

Are you now able to install the (assembled) keys ?

[GDH-gentoo]

With respect to #5, this document from Lenovo says that you need to use "Restore Factory Keys" indeed to change the Platform Mode back to User Mode.

This other document suggests that firmware keys should be modified setting "Secure Boot Customization" to "Custom". And, since it is not mentioned, leaving "Platform Mode" alone I presume. There's even a Key Management menu, apparently.

With respect to #3, firmware keys are stored in EFI variables, and if I understand correctly, you can just disable Secure Boot, and once you have booted (nonsecurely), there are programs that can retrieve firmware keys by accessing the efivarfs filesystem.

Disclaimer: I don't use Secure Boot, and, because of the appalling number of bad implementations of the UEFI specification that one finds in the wild, if I did want to use Secure Boot for booting GNU/Linux, I'd use the Shim and Machine Owner Keys (MOKs).

[nagmat84]

As far as I understand you will need:
Secure Boot + Platform Mode -> "Setup Mode" + Secure Boot Mode -> "Standard Mode"

Unfortunately, this is not possible. I cannot set Platform Mode = "Setup Mode" and Secure Boot Mode = "Standard Mode". There is no way to manually toggle those modes independently. I can only trigger one of the three actions "Reset ...", "Restore ..." and "Clear All ..." which yield either the fixed combination "Setup Mode" + "Custom Mode" or "User Mode" + "Standard Mode".

I guess you will need now:
Secure Boot + Platform Mode -> "Setup Mode" + Secure Boot Mode -> "Custom Mode"
Are you now able to install the (assembled) keys?

I am able to install my own key in "Setup Mode"+"Custom Mode". That is not the point. The problem is to go back to "User Mode" in order to enforce verification without loosing the installed keys again.

With respect to #3, firmware keys are stored in EFI variables, and if I understand correctly, you can just disable Secure Boot, and once you have booted (nonsecurely), there are programs that can retrieve firmware keys by accessing the efivarfs filesystem.

Yes, one of those programs is called "efi-readvar". Unfortunately, the UEFI firmware hides those variables if Secure Boot is disabled. That is part of my problem.

[sMueggli]

Can't you download the OEM keys from the Internet? They are public keys and I am pretty sure that Microsoft has published them. Maybe the other vendor keys are also published.

And why do you "need" the OEM keys? If you are setting up your own keys, why do you need OEM keys?

[GDH-gentoo]

With respect to #3, firmware keys are stored in EFI variables, and if I understand correctly, you can just disable Secure Boot, and once you have booted (nonsecurely), there are programs that can retrieve firmware keys by accessing the efivarfs filesystem.

Yes, one of those programs is called "efi-readvar". Unfortunately, the UEFI firmware hides those variables if Secure Boot is disabled. That is part of my problem.

In that case you have two alternatives:

• As you wrote before, use a live medium of a distribution that can boot with Secure Boot enabled. These use a build of the Shim signed by Microsoft, which in turn contains an embedded, distribution-specific public key for verification of their second stage bootoader's signature (usually GRUB).
• Temporarily set up Gentoo's Shim (which is Fedora's signed Shim), and use the MokManager to disable signature verification for your unsigned second stage bootloader (rEFInd).

All of this as a one time task for extracting the firmware keys, of course.

[nagmat84]

And why do you "need" the OEM keys? If you are setting up your own keys, why do you need OEM keys?

A need dual boot with Windows. However, I have already extracted the keys from another machine. I assume whatever was installed on the Laptop initially would have been expired by now anyway. I have obtained KEKs from Canonical and Microsoft as well as DB keys from Canonical and Microsoft (2x: one for Windows and another for 3rd-pary bootloaders) from the firmware of my desktop PC. So, problem #3 should be settled.

Problem #5 remains to be solved.[/i][/list]

[GDH-gentoo]

[...] which yield either the fixed combination "Setup Mode" + "Custom Mode" or "User Mode" + "Standard Mode".

Does the combination Platform Mode = User mode and Secure Boot Mode = Custom exist and allow key manipulation?

[nagmat84]

Does the combination Platform Mode = User mode and Secure Boot Mode = Custom exist and allow key manipulation?

I honestly, don't know. I assume it should exist, but I do not know how to enter it. However, as far as I understand this mode does not allow manipulating the key lists as that mode is intended to be eventually effective to enforce signature verification but no change of key lists.

[GDH-gentoo]

I honestly, don't know. I assume it should exist, but I do not know how to enter it. However, as far as I understand this mode does not allow manipulating the key lists as that mode is intended to be eventually effective to enforce signature verification but no change of key lists.

The document from Lenovo that I linked to suggests that you should be able to manipulate keys in this mode (Custom).

[Nowa]

And why do you "need" the OEM keys? If you are setting up your own keys, why do you need OEM keys?

A need dual boot with Windows. However, I have already extracted the keys from another machine. I assume whatever was installed on the Laptop initially would have been expired by now anyway. I have obtained KEKs from Canonical and Microsoft as well as DB keys from Canonical and Microsoft (2x: one for Windows and another for 3rd-pary bootloaders) from the firmware of my desktop PC. So, problem #3 should be settled.

Problem #5 remains to be solved.[/i][/list]

To install new keys you probably have to:
1) Set "Platform mode" to "Setup Mode", this tells the firmware to accept new keys
2) Create a new Platform Key if you don't already have one, use the PK to sign the list of KEK keys (which should contain the Microsoft keys, and your own KEK). Use your own KEK to sign the DB key that you'll be signing your efi files with. (app-crypt/sbctl may be used to automate the process)
3) Install the new set of keys using, for example, app-crypt/sbctl (which has the --enroll option or something similarly named), or systemd-boot which can enroll keys it finds on the ESP automatically if the firmware is in Setup Mode (you'd have to check the manual to see what the file name of the key should be)
4) Set "Secure Boot Mode" to "Custom" and "Platform mode" to "User Mode" to instruct the firmware to use your custom set of keys instead of the built-in set of Microsoft keys (this may happen automatically after enrolling your keys).

I can only trigger one of the three actions "Reset ...", "Restore ..." and "Clear All ..." which yield either the fixed combination "Setup Mode" + "Custom Mode" or "User Mode" + "Standard Mode".

This makes sense, since Setup Mode will prepare the firmware to receive custom keys. Whereas "User Mode" is the mode you'll be using when booting and enforcing your keys. Since no custom keys have been added, the standard (Microsoft keys) mode will be the only one available. It is usually not possible to add custom keys via the Firmware Interface, you have to do this from the OS or some EFI application.

Or, since your aim is to simply dual-boot with Windows, you can make your live a lot easier with Shim since it is already signed by the Microsoft Third Party key (which will be accepted in the "Standard Mode"):
1) install shim.efi and mm.efi to your ESP
2) use efibootmgr to add a boot entry for shim, either use the '-u \relative\path\to\your\bootloader' argument to instruct shim which bootloader to chain load. Or rename your bootloader "grubx64.efi' and put it in the same directory as shim/mokmanager
3) mokutil --import /the/key/you'll/use/to/sign/kernel/and/bootloader
4) In UEFI enable SecureBoot in "User Mode" and "Standard Mode"


In either case you'll want to enable USE=secureboot to sign your kernels/bootloaders with the SECUREBOOT_SIGN_KEY (or do it manually with sbsigntools if you configure and compile your kernel manually)

[nagmat84]

I finally got it to work. However, I do not know why; more precisely, I do not know what I did different this time.

1. I put the UEFI FW into "Setup Mode"+"Custom Mode" via the action "Reset to Setup Mode"
2. I installed my self-signed PK key via efi-updatevar -f custom_pk.auth PK; this immediately disabled "Setup Mode" and let the FW switch to "User Mode"
3. Upon next boot, the UEFI FW was in "User Mode" + "Custom Mode"

The automatic transition from "Setup Mode" to "User Mode" was what I did expect in the first place. I don't know why it happened this time as expected and why it had not been happened before during the previous unsuccessful attempts.