| Both sides previous revision Previous revision Next revision | Previous revision |
| secureboot [2023/10/25 22:58] – ↷ Page moved from playground:secureboot to secureboot maximumentropy | secureboot [2023/11/12 04:39] (current) – [TPM] formatting + grammar atari |
|---|
| ====== Secure Boot ====== | ====== Secure Boot ====== |
| |
| Streamlined support for Secure Boot on x86_64 systems is present in Batocera **v39** and higher. This makes it easier to flash Batocera on drives for PCs which have poor secure key management. This will install a security certificate into the machine's "Machine Owner Keys" (MOK) in the UEFI variable store. This certificate will allow the machine to execute Batocera's bootloader, which has been digitally signed with Batocera's encryption certificate. | For Batocera **v39** and higher on x86_64 systems, streamlined support for Secure Boot is present. This makes it easier to boot Batocera on PCs which have poor secure boot key management in the native UEFI BIOS. The process detailed below will install Batocera's security certificate into the machine's "Machine Owner Keys" (MOK) into the PC's UEFI variable store. This will allow the machine to execute Batocera's bootloader, which has been digitally signed with Batocera's certificate, even when Secure Boot is enabled in the BIOS. |
| |
| <WRAP center round alert> | <WRAP center round alert> |
| |
| https://www.dell.com/support/kbdoc/en-us/000124361/bitlocker-is-prompting-for-a-recovery-key-and-you-cannot-locate-the-key | https://www.dell.com/support/kbdoc/en-us/000124361/bitlocker-is-prompting-for-a-recovery-key-and-you-cannot-locate-the-key |
| | |
| | <WRAP center round info> |
| | For Batocera **v38** and lower, the keys must be enrolled by the BIOS itself (if available, otherwise [[:troubleshooting#boot_issues|just use legacy/CSM boot]]). This usually can be done from the security options of the BIOS. Search for an option which allows you to "Add keys", "Generate keys from EFI file" or "Enroll Efi image". The file to be selected, if asked, is ''EFI/boot/bootx64.efi''.\\ {{:bios_security_efi_keys_options.jpeg?400|Photo of a motherboard BIOS showing security options, "Enroll Efi Image" is visible.}} |
| | |
| | This method can be used instead of using the MOK management tool as explained below. Batocera **v38** and lower does not have the MOK management tool installed. |
| | </WRAP> |
| |
| ====== Prerequisites ====== | ====== Prerequisites ====== |
| {{:secure_boot_x64_-_9_-_perform_mok_management_-_reboot_-_screenshot_2023-10-20_122839.png?direct&720|}} | {{:secure_boot_x64_-_9_-_perform_mok_management_-_reboot_-_screenshot_2023-10-20_122839.png?direct&720|}} |
| |
| The system will reboot, and should automatically launch Batocera with Secure Boot enabled. | The system will reboot. If the system's TPM is enabled, proceed to the next section, otherwise it should automatically launch Batocera with Secure Boot enabled. |
| |
| If other operating system disks are attached to the system, they can be selected for boot from your firmware's boot menu. The ''efibootmgr'' command-line utility in Batocera can also be used to adjust boot order, or to perform a one-time "boot-next" to another UEFI OS. | If other operating system disks are attached to the system, they can be selected for boot from your firmware's boot menu. The ''efibootmgr'' command-line utility in Batocera can also be used to adjust boot order, or to perform a one-time "boot-next" to another UEFI OS. (FIXME this commentary needs to move elsewhere) |
| | |
| | ====== TPM ====== |
| | |
| | Batocera's Secure Boot support requires some interaction between the bootloader and the system's hardware Trusted Platform Module (TPM), //even on systems where Secure Boot is not enabled//. |
| | |
| | If the system's TPM is enabled, the first time you boot into the newer Batocera versions, and after completing the Secure Boot MOK management setup (if Secure Boot is enabled), a **Boot Option Restoration** screen with a countdown will be displayed. If no action is taken, the system will reboot repeatedly into this screen. |
| | |
| | {{ :tpm_1_boot_option_restoration.jpg?direct&600 |}} |
| | |
| | Using a keyboard, press any key to move on to the next screen. |
| | |
| | On the **Boot Options Restored** screen, use the arrow keys to select **Always continue boot** and press ''[Enter]''. The system will then boot into Batocera. |
| | |
| | {{ :tpm_2_boot_option_restored.jpg?direct&600 |}} |
| | |
| | It will be necessary to perform this setup only once, as long as the correct option is selected. |
| |
| ====== Upgrading and Downgrading with Secure Boot ====== | ====== Upgrading and Downgrading with Secure Boot ====== |
| It is safe to upgrade to later Batocera versions while Secure Boot is enabled. Downgrading to **v39** or higher is also safe. If the newly upgraded/downgraded version was signed with a different signing key certificate which is not already enrolled, the MOK enrollment process may be reappear. It is possible to avoid this by disabling Secure Boot validation in the shim. | It is safe to upgrade to later Batocera versions while Secure Boot is enabled. Downgrading to **v39** or higher is also safe. If the newly upgraded/downgraded version was signed with a different signing key certificate which is not already enrolled, the MOK enrollment process may be reappear. It is possible to avoid this by disabling Secure Boot validation in the shim. |
| |
| If Batocera is downgraded to **v38** or lower, the system will fail to boot in Secure Boot mode. On systems where Secure Boot can be disabled, disabling it should allow the system to boot again. It is recommended to disable Secure Boot //before// such a downgrade. | If Batocera is downgraded to **v38** or lower, the system may fail to boot in Secure Boot mode from the bootloaders installed by those versions. On systems where Secure Boot can be disabled, disabling it should allow the system to boot again. It is recommended to disable Secure Boot //before// such a downgrade. |
| | |
| | <WRAP center round info 100%> |
| | After the downgrade, the Secure Boot capable bootloader referenced in the ''Batocera'' EFI bootloader entry may allow the earlier versions to boot with Secure Boot enabled. Whether this works or not will depend on the system's specific UEFI BIOS behaviors. |
| | </WRAP> |
| |
| ===== Disabling Secure Boot validation in the shim ===== | ===== Disabling Secure Boot validation in the shim ===== |