UEFI Secure boot is a verification mechanism for ensuring that code launched by firmware is trusted.

We're currently working on secure boot support for Ubuntu; our initial Implementation Plan was posted to ubuntu-devel earlier this year.

Basic secure boot setup for testing

If you'd like to try out secure boot on your machine (or on and OVMF virtual UEFI machine), the following procedure should help. Note that this does not result in a secure system; it is simple intended for initial testing efforts.

You'll need a recent build of the secure boot tools. This is packaged in quantal (, or you can build from the sources at git:// .

Create a key

We'll create a 2048-bit RSA key and a self-signed certificate for this key:

[jk@pecola ~]$ openssl genrsa -out test-key.rsa 2048
[jk@pecola ~]$ openssl req -new -x509 -sha256 \
        -subj '/CN=test-key' -key test-key.rsa -out test-cert.pem
[jk@pecola ~]$ openssl x509 -in test-cert.pem -inform PEM \
        -out test-cert.der -outform DER

Sign the boot image

For now, we'll just sign the regular GRUB2 image:

[jk@pecola ~]$ sbsign --key test-key.rsa --cert test-cert.pem \
        --output grubx64.efi /boot/efi/efi/ubuntu/grubx64.efi
[jk@pecola ~]$ sudo cp /boot/efi/efi/ubuntu/grubx64.efi{,.bak}
[jk@pecola ~]$ sudo cp grubx64.efi /boot/efi/efi/ubuntu/

Install the key

Note: Before you perform this step, ensure that your firmware has some mechanism to reset the secure boot configuration, or disable secure boot. We don't want you to lock yourself out of your own machine!

Through your firmware configuration interface, load the test-cert.der certificate into the "db" and "PK" signature databases. Setting the PK should enable secure boot on your machine.

If you'd like to experiment with loading keys from within Ubuntu (rather than your firmware configuration interface, take a look at the document sbkeysync & maintaing uefi key databases.


UEFI/SecureBoot (last edited 2012-09-06 03:37:58 by jk-ozlabs)