I have an Intel Core Ultra Series 1.
I had an issue updating retimer firmware, so I tried various things (this is another topic)… I did reset secure boot with default keys “Restore Secure Boot to factory Settings”, then I did “Erase all Secure Boot Settings” with secure boot disabled. After that, when booting under Linux, none of the UEFI tools were working. See:
So I was unable to enroll my own key using sbctl enroll-keys
To enter into a functional setup mode, I had to follow these steps:
- In BIOS “Restore Secure Boot to factory Settings”
- Save and “reboot”, and enter BIOS again (F2 key)
- In BIOS, clear reset/clear manually all PK, KEK and db certificates and signatures. Do not touch DBX default entries. Do not use “Erase all Secure Boot Settings”
- Keep secure boot disabled
- Reboot to Linux, and enroll the keys (including Microsoft keys and Framework firmware keys) with:
sbctl enroll-keys -m -f - And finally go back to BIOS and enable secure boot
- Reboot to Linux and check that everything is right:
sbctl status
Note: For (at least) BIOS version 3.05 for an Intel® Core™ Ultra Series 1, if somehow the DBX database is changed/updated, for example, by applying UEFI revocation database update, everything will break…