It would be really great if Framework could publish the KEK and DB certificates used for secure boot on the Framework laptop.
Why
A user who chooses to enroll their own Platform Key (PK) will lose system trust for anything that they, or a certificate they have signed, have signed.
Publishing the Key Exchange Key (KEK) and Allowed Signature Database (DB) certificates shipped with Framework laptops would allow such a user to re-enable that trust by cross-signing those certificates with their new platform key.
NOTE: This is not a request that you release the private keys! Just the public certificates, which already ship by default on every laptop and could be extracted.
Prior Art
Microsoft does this for their KEK and DB as well, for the express purpose of enabling an OEM or PK holder to trust the Windows bootloader and allow Microsoft to perform their own key exchanges.
In the interim, I’ve published the certificates as extracted from the dbDefault and KEKDefault secure boot variables in this repository.
Two notes:
Since you have no reason to trust me, I’ve documented steps (which should work on Linux) that you can use to verify that these certificates are, in fact, signed by the root of trust on your own laptop.
I am not affiliated with Framework or the Framework team. Further, I will happily take these certificates down if I’m asked to.
@DHowett Thanks for your work. I’ll probably try to enroll my own key to enable Secureboot on my archlinux install in the coming months and as I have never had to do this it helps a lot
NOTE (since I can’t edit the original post): I’ve updated the repository with certificates from the 12th gen Intel Framework Laptop based on data provided by ngxson and Morpheus636.
