How to save secure boot keys?

1

I'm running Windows 7, and my motherboard is Asus p8z77-v.

I wan't to dual boot ubuntu, but the live usb doesn't load.

I did some research and found I need to disable secure boot.

In order to do that I need to save the platfform keys.

But when I plug a USB into the system, and select the option save keys, I get a message "no valid file system". I have formatted the USB to exFat, and tried all the USB ports but nothing seems to work.

Edit: My main goal is to dual boot ubuntu with with windows 7. If there is a way to do that without messing around with these settings, I'll be glad to do it.

The problem I'm facing is, when I boot from UEFI: USB I get the UEFI menu. But when I choose

  1. install, or
  2. try without installing options,

there is a flash and the screen goes blank. After some time my monitor goes into low power state, so there isn't anything happening.

kchak

Posted 2017-05-07T07:12:27.973

Reputation: 123

1I didn't think you'd need to save anything to disable secure boot, usually... but in case you actually do, UEFI is standardised on FAT32. – Bob – 2017-05-07T07:19:40.250

My BIOS menu doesn't have a secure boot switch. So I need to go into a secure boot menu, then clear the keys to disable secure boot. Now I don't have a clue, what all of this is, so I'd like to save the keys in case something goes wrong. – kchak – 2017-05-07T07:31:30.947

Windows 7 doesn't support Secure Boot....ALL OEM device that support Secure Boot, must support, being able to disable it except for Windows RT devices (which do not support Windows 7). So if the option to enable it is missing, then your device, doesn't support Secure Boot. All Asus motherboards like yours support enabling disabling sexy boot if it supports secure Boot – Ramhound – 2017-05-08T23:03:37.847

Answers

2

PeterSiul's answer is mostly correct, but see my comment for a couple of corrections, one of which is important enough that I elaborate on it here. I'd like to emphasize and elaborate on some points beyond what I could cram into that short comment:

  • Not all EFIs provide Secure Boot functionality -- If you don't see any option to disable Secure Boot, it could be that your firmware simply lacks this feature. It began appearing in computers shortly before the release of Windows 8. Today, most computers support Secure Boot, but Macs and some servers still lack this feature. I own several EFI- or UEFI-based computers that lack Secure Boot support.
  • Windows 7 does not officially support Secure Boot -- Microsoft began pushing Secure Boot with Windows 8, not Windows 7. That said, when I installed Windows 7 on one of my computers (using an ASUS P8-H77I motherboard, FWIW), much to my surprise, it worked with Secure Boot active. After an update, though, it stopped working. Perhaps Microsoft signed some of its Windows 7 boot loaders but not others; or perhaps my motherboard included a hash of the original boot loader as valid, and thus able to pass the Secure Boot test. The bottom line, though, is that you may need to disable Secure Boot if you boot Windows 7.
  • Disabling Secure Boot should not require deleting keys -- In every computer I've seen with Secure Boot support, you can disable Secure Boot with a toggle, then re-enable it again from the same menu. Deleting keys is not required to do this, and when you re-enable Secure Boot, there should be no need to add keys back. See this page of mine for several examples of disabling Secure Boot, including screen shots. That said, there's nothing in the spec that says how the user interface to disable Secure Boot should be laid out, so it's conceivable that you've got something with a particularly primitive method that does require deleting keys. I think that's unlikely, though; it's more likely that you've simply not found the correct option, or even that your motherboard does not support Secure Boot.
  • Did you really need to disable Secure Boot? -- You say you needed to disable Secure Boot to get the Ubuntu USB drive to boot. In my experience, though, people often blame Secure Boot for problems that are not related to this feature. Most commonly, people use the wrong tools or settings when they create a USB flash drive from a .iso file. See this page of mine for more on this subject. Before you delve too far into that, though, I note that you say that when you try to boot, "there is a flash and the screen goes blank." Secure Boot failures generally (but not always) produce a message to the effect that the boot medium is untrusted. The symptom you describe sounds more like an unsupported video card. The AskUbuntu site has this question and its numerous answers on this problem. Unfortunately, there are many causes with many different solutions, so I can't give you an easy answer if this is the source of your problem.
  • The whole point of Shim is to support Secure Boot through GRUB -- PeterSui wrote "But Shim can't check the integrity of GRUB, nor the integrity of linux or the windows bootloader, if loaded by grub. Therefore, as soon as you use dual boot, secure boot basically becomes ineffective." This is just plain wrong; indeed, this description, if accurate, would make Shim completely useless. Shim launches a follow-on program, which is hard-coded to be grubx64.efi. (There are other programs it can launch in some circumstances, but the follow-on program is normally GRUB.) Shim adds a key that's embedded in its binary to the Secure Boot checks, and the GRUB that comes with a distribution will be signed by the private version of that key. Thus, Shim launches GRUB if GRUB is signed by Shim's embedded key or by another key in the firmware, but will refuse to launch GRUB if it doesn't pass Secure Boot checks. Different GRUB builds vary, but in most cases, GRUB will call back to Shim in order to authenticate the kernel it boots, and so on. When GRUB launches the Windows boot loader, it should be authenticated, too, although there is a known bug that causes this process to fail on some (but not all) computers.
  • You can save your keys, if you really want to -- If you really want to save your default keys, you can do so. See this page of mine for details on how to do this. That page is actually written with the goal of helping you replace the built-in keys with your own keys, but part of that process is to save your existing keys. Most EFIs provide a way to do this in their own user interfaces, or you can use the KeyTools utility. (Scroll down to Replacing Keys Using KeyTool and note step #3.)

Rod Smith

Posted 2017-05-07T07:12:27.973

Reputation: 18 427

0

exFAT isn't the most widely adopted file system. I wouldn't expect it to work with UEFI. As Bob wrote: Try FAT32.

Then again, you shouldn't need to save those keys, nor to disable secure boot (although neither will hurt you).

Generally, the boot process on a dual boot system with UEFI looks like this: UEFI loads a bootloader, with linux that's usually GRUB. GRUB looks at it's config, finds an entry for linux and one for windows. The linux entry will load the kernel and possibly the initramfs. The windows entry will just start the windows bootloader.

With secure boot, UEFI will check, if the bootloader (in the above example: GRUB) was signed by a key it can verify. That is the case with the windows bootloader, but not with grub. So, in order to boot non windows systems, Microsoft has published a mini bootloader called Shim. Shim is signed by Microsoft and can thus be booted with UEFI with secure boot active. But Shim can't check the integrity of GRUB, nor the integrity of linux or the windows bootloader, if loaded by grub. Therefore, as soon as you use dual boot, secure boot basically becomes ineffective.

On the other hand, Ubuntu should boot fine, whether from USB or once you have installed it (I say should, because even though all documentation I ever read says "will", I have had to disable secure boot in the past to run linux). If secure boot would prevent that, it would prevent GRUB from loading. In that case you wouldn't even get to the "install"/"Try without installing"-choice.

PaterSiul

Posted 2017-05-07T07:12:27.973

Reputation: 338

Thanks. I'll try formatting the USB to FAT32. So what you're saying is since by dual boot, secure boot becomes ineffective, I can just go ahead and delete the platform keys? There is no scenario, I'll need to use those keys in the future? Now I do a lot of work on windows, I just need a faster linux option than a VM, for now. – kchak – 2017-05-08T06:53:27.673

Yes, with dual boot, secure boot becomes ineffective. But no, there is one scenario, where secure boot becomes interesting again: if you decide to get rid of linux and want secure boot for windows again. In that case you'll want the default keys. But: Your UEFI should have an option to "Reset secure boot to factory defaults" or "Restore default secure boot keys" or the like. – PaterSiul – 2017-05-08T07:00:11.073

This answer is mostly correct; however: (1) Shim is not written by Microsoft. IIRC, it was originally written by Matthew Garret when he worked for Red Hat, and Red Hat remains its primary developer. That said, the Shim binaries distributed by major Linux distributions are signed by Microsoft, or at least by their agents. (2) Secure Boot is by no means ineffective in a dual-boot environment -- unless of course it's deliberately disabled. This is seldom necessary, although in rare cases it is, and in less rare cases Secure Boot causes enough problems that's it's convenient to disable it. – Rod Smith – 2017-05-08T22:22:59.760

Asked: 2017-05-07T07:12:27.973

Viewed: 3 363 times

Active: 2017-05-08T22:52:40.313