Merry Christmas to everyone!
Recently, I puchased an ASUS ROG Strix X570-E Gaming Motherboard. In order to prevent me from evil-maid attacks, I want to use Secure Boot to sign my kernel and protect it from unauthorized modifications. However, after importing my Secure Boot keys to the BIOS (PK, KEK, DB and DBX), I failed to find an option to enable it.
In the Boot -> Secure Boot section, it says the following:
Secure Boot state User
Platform Key (PK) state Unloaded
What’s happened? Even when I successfully set the PK key, it is still Unloaded, and the OS also reports that Secure Boot is disabled:
$ bootctl status
systemd-boot not installed in ESP.
System:
Firmware: UEFI 2.70 (American Megatrends 5.17)
Secure Boot: disabled
Setup Mode: user
TPM2 Support: yes
Boot into FW: supported
Disclaimer: I am not an UEFI expert. I neither know what the UEFI specification says on Secure Boot nor know what is its relationship with Microsoft Windows. I assume that it is specified in the UEFI specfication and has nothing to do with Microsoft, except that Microsoft requires BIOS vendors to pre-install their keys and allow users to disable this feature. Correct me if I am wrong.
Environment:
I am using the 3604 x64 BIOS.
I expected to find a switch like Dell BIOS, which you can enable or disable it, but I couldn’t find anything like that. I went through several websites, but they are all showing the same almost useless information. Nobody explicitly mentions where the switch of Secure Boot is.
The manual of the motherboard also didn’t mention Secure Boot much. Also, it denotes Secure Boot as “Windows (R) Secure Boot”, what a shame for the UEFI specfication and non-Windows users?
Anyways, after several attempts, I noticed that there is a drop menu called “OS Type”, right above the “Key Management” submenu. It has two options, and the help text is like below:
Windows UEFI mode: Execute the Microsoft secure boot check. Only select this option when booting on Windows UEFI mode or other Microsoft secure boot compliant operating systems.
Other OS: Select this option to get optimized functions when booting on Windows non-UEFI mode and Microsoft secure boot non-compliant operating systems.
* The Microsoft secure boot can only function properly on Windows UEFI mode.
I initially didn’t bother it much, because I neither consider my OS (self-signed Linux EFISTUB) as Windows UEFI, nor consider it as a Microsoft secure boot compliant operating system. Therefore, I always keep it as “Other OS”.
I also thought that if I choose “Windows UEFI mode”, it would load the Microsoft keys, so my keys would be overwritten.
It turned out that I am totally wrong, or I could say that ASUS made it extremely confusing.
The real meaning of “Windows UEFI mode” is to enable Secure Boot, and “Other OS” means to disable Secure Boot, and they have absolutely nothing to do with keys. This is why lots of articles online ask you to turn it into “Windows UEFI mode”, and reset the keys in the “Keys Management” submenu to use Microsoft Keys.
That’s how it goes. After turning the OS Type to “Microsoft UEFI mode”, it starts loading my self-signed Linux binary.
What a shame on you, ASUS, of making the prompts so confusing? “Enable” and “Disable” are much better choices.