Anyone know what this option does? It sounds to me like it adds the Microsoft CA certificate to db. Does this mean that enabling/disabling it adds and removes the CA on-demand?
Right now I use custom keys (no Microsoft keys), and would like to keep it that way if this option is permanent.
Apologies if some of these tags are irrelevant, they’re required in order to post
EDIT II: Yes, with custom keys enrolled this option adds the indicated certificate to DB. The option disappears any time that certificate is present, making it somewhat of a one-way toggle. You can delete the signature later in DB Options > Delete Signature. The “Add …” option will return afterwards.
EDIT: you know, come to think of it… I cannot find this exact option on my Framework Laptop with secure boot in either Setup or User mode. I had mixed it up with Enroll ....
It allows you to enroll your own secure boot certificate. This is important if you are intending to sign your own EFI applications and drivers, or are using some software like sbctl to do so for you.
Will the delete operation restore the secure boot policy to what it was before the add operation? Or more specifically, will TPM PCR 7 return to the value it was measured at before the certificate add once the certificate is deleted?
Yes.
--- pcrs.0.first_clean_secure_boot 2026-05-10 12:28:41.404961392 -0500
+++ pcrs.2.after_remove_microsoft_2011 2026-05-10 12:30:53.520544652 -0500
@@ -11,6 +11,6 @@
8 : 0x0000000000000000000000000000000000000000000000000000000000000000
- 9 : 0x8C391441E1F6B34424F208CCF0A566FD76EE145BB38769AAB3C76FF0DF53F88B
- 10: 0x498ACF7098CB66EB71982A27375E62C4C939E5763869FDBC2FE129BA66A5D46E
+ 9 : 0x4B30F924299F5CA06E043628259768F43ADBF58A14907C190B4729E283D61700
+ 10: 0x5E8BAA9EA1F5127CF54F4E8A96DE96707AE692F560ACD11E2B3572D31E2FECCC
11: 0x5DF3CAA69000D9803A1DB04C9E088FB355430FCEF5C7F95C082D9DFBA793233D
- 12: 0xDD5B0134C5441BD80D41AFEA32DEF6C58640D5ED1B1A392D2FD4FF3192E370A7
+ 12: 0x4268A5F66B541F3190EAC69EF01383BD942961C474489C6A7A70DE081FA8B403
13: 0x0000000000000000000000000000000000000000000000000000000000000000
--- pcrs.0.first_clean_secure_boot 2026-05-10 12:28:41.404961392 -0500
+++ pcrs.1.after_enroll_microsoft_2011 2026-05-10 12:29:41.771529057 -0500
@@ -9,8 +9,8 @@
6 : 0xA2B859165831675AFB4001A0F74818F4C06AA316831F2FEDBF59F59F8C7528FD
- 7 : 0xD83E83BBB40280DE82031875313366129D0808A1B8BF6E6C83EDED7D60DCEC23
+ 7 : 0xCA143664E35A2A62AA1A2B2C0ACC5B3525C48853BCE7D6A6ECD4D8A880D54489
8 : 0x0000000000000000000000000000000000000000000000000000000000000000
- 9 : 0x8C391441E1F6B34424F208CCF0A566FD76EE145BB38769AAB3C76FF0DF53F88B
- 10: 0x498ACF7098CB66EB71982A27375E62C4C939E5763869FDBC2FE129BA66A5D46E
+ 9 : 0x3FC6813B7EA89C55FAFD50AF745B630D836AFD4064719F69417E74D0F53CEA7D
+ 10: 0xCDEF06F061992165CDF1D0FD0E28A1EAFFD721CD86D8913C9108824400D54DC0
11: 0x5DF3CAA69000D9803A1DB04C9E088FB355430FCEF5C7F95C082D9DFBA793233D
- 12: 0xDD5B0134C5441BD80D41AFEA32DEF6C58640D5ED1B1A392D2FD4FF3192E370A7
+ 12: 0xCB222481E123C7643DE89FCD457609984E8702EA9E3CF785936E385DC069E576
13: 0x0000000000000000000000000000000000000000000000000000000000000000
--- pcrs.1.after_enroll_microsoft_2011 2026-05-10 12:29:41.771529057 -0500
+++ pcrs.2.after_remove_microsoft_2011 2026-05-10 12:30:53.520544652 -0500
@@ -9,8 +9,8 @@
6 : 0xA2B859165831675AFB4001A0F74818F4C06AA316831F2FEDBF59F59F8C7528FD
- 7 : 0xCA143664E35A2A62AA1A2B2C0ACC5B3525C48853BCE7D6A6ECD4D8A880D54489
+ 7 : 0xD83E83BBB40280DE82031875313366129D0808A1B8BF6E6C83EDED7D60DCEC23
8 : 0x0000000000000000000000000000000000000000000000000000000000000000
- 9 : 0x3FC6813B7EA89C55FAFD50AF745B630D836AFD4064719F69417E74D0F53CEA7D
- 10: 0xCDEF06F061992165CDF1D0FD0E28A1EAFFD721CD86D8913C9108824400D54DC0
+ 9 : 0x4B30F924299F5CA06E043628259768F43ADBF58A14907C190B4729E283D61700
+ 10: 0x5E8BAA9EA1F5127CF54F4E8A96DE96707AE692F560ACD11E2B3572D31E2FECCC
11: 0x5DF3CAA69000D9803A1DB04C9E088FB355430FCEF5C7F95C082D9DFBA793233D
- 12: 0xCB222481E123C7643DE89FCD457609984E8702EA9E3CF785936E385DC069E576
+ 12: 0x4268A5F66B541F3190EAC69EF01383BD942961C474489C6A7A70DE081FA8B403
13: 0x0000000000000000000000000000000000000000000000000000000000000000
Perfect, thanks for your help!