| Both sides previous revision Previous revision Next revision | Previous revision |
| secureboot [2023/11/01 17:58] – [Upgrading and Downgrading with Secure Boot] Add info about SB after downgrade maximumentropy | secureboot [2023/11/12 04:39] (current) – [TPM] formatting + grammar atari |
|---|
| ====== Secure Boot ====== | ====== Secure Boot ====== |
| |
| --> For Batocera v38 and lower# | |
| |
| Batocera **v38** and lower has minimal Secure Boot support, and only if the UEFI BIOS will allow direct enrollment of an EFI loader hash. This usually can be done from the security options of the BIOS. Search for an option which allows you to "Add keys", "Generate keys from EFI file" or "Enroll Efi image":\\ {{:bios_security_efi_keys_options.jpeg?400|Photo of a motherboard BIOS showing security options, "Enroll Efi Image" is visible.}} | |
| |
| <-- | |
| |
| For Batocera **v39** and higher on x86_64 systems, streamlined support for Secure Boot is present. This makes it easier to boot Batocera on PCs which have poor secure boot key management in the native UEFI BIOS. The process detailed below will install Batocera's security certificate into the machine's "Machine Owner Keys" (MOK) into the PC's UEFI variable store. This will allow the machine to execute Batocera's bootloader, which has been digitally signed with Batocera's certificate, even when Secure Boot is enabled in the BIOS. | For Batocera **v39** and higher on x86_64 systems, streamlined support for Secure Boot is present. This makes it easier to boot Batocera on PCs which have poor secure boot key management in the native UEFI BIOS. The process detailed below will install Batocera's security certificate into the machine's "Machine Owner Keys" (MOK) into the PC's UEFI variable store. This will allow the machine to execute Batocera's bootloader, which has been digitally signed with Batocera's certificate, even when Secure Boot is enabled in the BIOS. |
| |
| https://www.dell.com/support/kbdoc/en-us/000124361/bitlocker-is-prompting-for-a-recovery-key-and-you-cannot-locate-the-key | https://www.dell.com/support/kbdoc/en-us/000124361/bitlocker-is-prompting-for-a-recovery-key-and-you-cannot-locate-the-key |
| | |
| | <WRAP center round info> |
| | For Batocera **v38** and lower, the keys must be enrolled by the BIOS itself (if available, otherwise [[:troubleshooting#boot_issues|just use legacy/CSM boot]]). This usually can be done from the security options of the BIOS. Search for an option which allows you to "Add keys", "Generate keys from EFI file" or "Enroll Efi image". The file to be selected, if asked, is ''EFI/boot/bootx64.efi''.\\ {{:bios_security_efi_keys_options.jpeg?400|Photo of a motherboard BIOS showing security options, "Enroll Efi Image" is visible.}} |
| | |
| | This method can be used instead of using the MOK management tool as explained below. Batocera **v38** and lower does not have the MOK management tool installed. |
| | </WRAP> |
| |
| ====== Prerequisites ====== | ====== Prerequisites ====== |
| |
| ====== TPM ====== | ====== TPM ====== |
| Batocera's Secure Boot support requires some interaction between the bootloader and the system's hardware Trusted Platform Module (TPM), **even on systems where Secure Boot is not enabled**. | |
| |
| If the system's TPM is enabled, the first time you boot into the newer Batocera versions, and after completing the Secure Boot MOK management setup (if Secure Boot is enabled), a ''Boot Option Restoration'' countdown screen will be displayed. If no action is taken, the system will reboot repeatedly into this screen. | Batocera's Secure Boot support requires some interaction between the bootloader and the system's hardware Trusted Platform Module (TPM), //even on systems where Secure Boot is not enabled//. |
| | |
| | If the system's TPM is enabled, the first time you boot into the newer Batocera versions, and after completing the Secure Boot MOK management setup (if Secure Boot is enabled), a **Boot Option Restoration** screen with a countdown will be displayed. If no action is taken, the system will reboot repeatedly into this screen. |
| |
| {{ :tpm_1_boot_option_restoration.jpg?direct&600 |}} | {{ :tpm_1_boot_option_restoration.jpg?direct&600 |}} |
| |
| Connect a keyboard to the system, and press any key to move on to the next screen. | Using a keyboard, press any key to move on to the next screen. |
| |
| On the ''Boot Options Restored'' screen, use the arrow keys to select ''Always continue boot'' and press ''[ENTER]''. The system will then boot into Batocera. | On the **Boot Options Restored** screen, use the arrow keys to select **Always continue boot** and press ''[Enter]''. The system will then boot into Batocera. |
| |
| {{ :tpm_2_boot_option_restored.jpg?direct&600 |}} | {{ :tpm_2_boot_option_restored.jpg?direct&600 |}} |