Same question as asked here but with regards to the Framework 12: is it required to enrol Microsoft keys when enrolling your own keys on the 12? Question asked per this warning on the Arch Linux wiki:
Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate or vendor certificates.
I don’t have my 12 yet, but I know setting up my own keys is one of the first things I’ll end up doing when I receive it. Hoping the Framework team can give a definitive answer on this. Thanks!
Then your best bet is to contact support with that question, as this is a community forum that is not systematically monitored by framework employees. And once you get an official answer you can report back here so we all benefit from it
If you intend to use Windows? Probably yes, I have no idea if it is possible to roll your own keys for Secure Boot. For linux? There are several distros that use Shim which is signed by Microsoft and therefore needs the MS keys at first to boot with Secure Boot enabled. You can roll your own keys with any distribution and use Secure Boot if you wish.
MS keys come preloaded on the laptop so you don’t need to enroll them yourself.
Yeah sorry I should’ve been much clearer; I left a lot to infer/assume in my original post: I plan to use Linux, with a distro that does not use a signed shim, and to sign the bootloader, kernel, etc. with my own keys. So I have no need for Microsoft’s keys unless there is some firmware that demands it, as outlined in the Arch Linux article I linked. So I was hoping for confirmation from Framework that they do not rely on these default keys (as they do not with the Framework 16, at least according to that post) in order to boot. I’m not sure that an answer for the Framework 16 applies to the 12, as they may have different firmware to support the different hardware.
Not to try and sound like I know what I am talking about: I don’t, which is why I was hoping for some confirmation so I don’t brick a brand new machine. I’ll reach out to Framework support as the other poster suggested, and update here if I receive an answer.
You can sign anything with your own rolled keys if you are so technically inclined is my understanding. It may require more steps but if you want to do that, it is available to you.
The linked Arch wiki mentions OpROMs which I assume to mean option ROMs. Those would not be used on the Framework Laptop 12.
Common options ROMs are GPU firmware but that usually is in the context of NVIDIA hardware or eGPUs. When you set up Secure Boot, you would just tell Secure Boot not to measure those PCRs
Hell, from what I recall, Windows requires that there be no Option ROMs for Win 11, i.e. disabling CSM mode. All that stuff should load in AFTER boot and therefore sidestep any Secure Boot issues. Especially since everything should be within the kernel and LVFS updates would be pushed using Framework’s keys and not signed by Windows.
I did hear back from Framework. From their answer I’ll feel confident not enrolling the Microsoft keys. Of course it’s up to y’all if you want to risk messing with the keys, but I’m going to try it once I get my 12; I’ll report back if it goes sideways. From Framework support:
Yes, you should be able to enable Secure Boot in the BIOS of your Framework Laptop 12 without any requirements or issues.
No Microsoft keys should be needed for Secure Boot at all and you are free to use it with any OS!
Following up: I enrolled my own keys without Microsoft’s and had zero issues so far. I did enrol Framework’s keys as suggested to hopefully ensure no issues with firmware updates at a later date; haven’t had to do any yet. I used sbctl as it’s my preferred method, essentially following the Arch Wiki; ymmv but here’s what I did specifically around getting Framework’s keys in there, the rest around getting the firmware in the right mode, signing your images, etc. you can find in the wiki:
# back up existing keys, including the framework keys i'll include later
sbctl --disable-landlock export-enrolled-keys --dir key-backup
# …in here is where you'd get the firmware into setup mode
# create new keys
sbctl create-keys
# create directories for custom keys (framework's), copy them in, fix perms
mkdir /var/lib/sbctl/keys/custom/{db,KEK}/
cp key-backup/DB/frame.work-LaptopKEK_2.der /var/lib/sbctl/keys/custom/db
cp key-backup/KEK/frame.work-LaptopSunflowerPK_1.der /var/lib/sbctl/keys/custom/KEK
chmod 400 /var/lib/sbctl/keys/custom/{db,KEK}/*.der
# enrol the keys
sbctl enroll-keys -c
