UEFI Secure Boot Key Management

Why does this matter?

Key management is an important process in maintaining a working UEFI Secure Boot policy. Ubuntu handles this automatically by guiding users through the steps they need to take when signing keys change, or as new keys are required. For the most part, for typical Ubuntu users, no extra work is necessary as the keys are managed as part of the embedded Canonical public certificate in the shim binary signed by Microsoft, and the GRUB bootloader and kernel images and modules are signed with the private portion of that key.

The Canonical key is held as trusted by the Ubuntu boot process by way of being part of the binary image of shim, itself signed by Microsoft after a review process. For more information on the signing process for shim, see the documentation for the WinQual process.

Some users may need to generate their own keys. For convenience, the processes used to generate keys for Ubuntu as well as to sign UEFI binaries is available here.


UEFI/SecureBoot/KeyManagement (last edited 2017-12-04 22:27:23 by cyphermox)