I successfully set up Secure Boot on my Framework 16 with my own key, but when doing so I followed the recommendation to also enable Microsoft keys. Apparently some computers require Microsoft keys to use the firmware setup utility and/or to boot at all. If you load only a custom key, it can be impossible to recover if you can’t launch the firmware setup utility.
Has anyone tried enrolling ONLY their own key and not the Microsoft keys on their Framework 16? Does everything work correctly? I don’t want someone to be able to come to my laptop and boot a random Windows build.
Just to confirm, you don’t have any Microsoft keys in your DB? (i.e. sbctl status doesn’t say “Vendor Keys: microsoft” / read-efivar -v db doesn’t show any “Microsoft Corporation” keys?)
And you can still get into the BIOS menus just fine?
Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate.
The mainline secure boot supporting distributions usually use shim and Microsoft’s Third Party UEFI signing certificate. They will not boot without the Microsoft third party certificate or other manual intervention.
Just to close the loop, yeah, I switched to using only my own keys (and the Framework frame.work-LaptopAMDDB key in db) and everything works perfectly, including the BIOS menus and even the recent firmware update. Thanks for making such a flexible laptop!
