[RESPONDED] Does Secure Boot require Microsoft keys?

I successfully set up Secure Boot on my Framework 16 with my own key, but when doing so I followed the recommendation to also enable Microsoft keys. Apparently some computers require Microsoft keys to use the firmware setup utility and/or to boot at all. If you load only a custom key, it can be impossible to recover if you can’t launch the firmware setup utility.

Has anyone tried enrolling ONLY their own key and not the Microsoft keys on their Framework 16? Does everything work correctly? I don’t want someone to be able to come to my laptop and boot a random Windows build.


I did secure boot with my own key in either the bios or ubuntu creation prompt. No issues so far, and I have rebooted a few times already.

Just to confirm, you don’t have any Microsoft keys in your DB? (i.e. sbctl status doesn’t say “Vendor Keys: microsoft” / read-efivar -v db doesn’t show any “Microsoft Corporation” keys?)

And you can still get into the BIOS menus just fine?


Secure boot doesn’t require Microsoft’s keys. :slightly_smiling_face:


I think the OP’s question is regarding the warning located at the top of the Arch Linux Wiki article on creating your own secure boot keys:

Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate.

1 Like

Related, would distros that support secure boot in their live USB/iso (e.g. Fedora) continue to work if Microsoft keys aren’t enrolled?

The mainline secure boot supporting distributions usually use shim and Microsoft’s Third Party UEFI signing certificate. They will not boot without the Microsoft third party certificate or other manual intervention.


This is the correct answer. You do not need to do anything special.


Just to close the loop, yeah, I switched to using only my own keys (and the Framework frame.work-LaptopAMDDB key in db) and everything works perfectly, including the BIOS menus and even the recent firmware update. Thanks for making such a flexible laptop!