enroll custom secureboot keys

C

crabgrass

New Member
Jul 19, 2024
2
0
1
I need to test the deployment of Talos Linux with secureboot enabled. The Talos boot image has an option to enroll their custom keys. I've done this on bare metal systems before, I go into the UEFI firmware, clear the current keys, restart, enable custom keys and boot the Talos image. The keys are written and when the system restarts, I go into the UEFI settings and enable secureboot. When Talos boots, it shows on its dashboard that secureboot is enabled.

On Proxmox, I create the UEFI VM with the EFI disk. I tried without pre-enrolled keys and with the option enabled.

When I turn the VM on, I immediately see the message:
Enrolling secure boot keys from directory: \loader\keys\auto
Failed to write PK secure boot variable: Security Violation

I get the same message when I boot the Talos image and choose to auto enroll their keys.

Searching does not really bring up any help resolving the issue. Threads I found are about Proxmox installation itself, not secureboot inside a VM.

Thanks!
 
crabgrass said:
I need to test the deployment of Talos Linux with secureboot enabled. The Talos boot image has an option to enroll their custom keys. I've done this on bare metal systems before, I go into the UEFI firmware, clear the current keys, restart, enable custom keys and boot the Talos image. The keys are written and when the system restarts, I go into the UEFI settings and enable secureboot. When Talos boots, it shows on its dashboard that secureboot is enabled.

On Proxmox, I create the UEFI VM with the EFI disk. I tried without pre-enrolled keys and with the option enabled.

When I turn the VM on, I immediately see the message:
Enrolling secure boot keys from directory: \loader\keys\auto
Failed to write PK secure boot variable: Security Violation

I get the same message when I boot the Talos image and choose to auto enroll their keys.

Searching does not really bring up any help resolving the issue. Threads I found are about Proxmox installation itself, not secureboot inside a VM.

Thanks!
Click to expand...
Hi,
Not sure if you already figured this out, but I'll reply anyway as I just came across this myself and fixed it.

Choose the second option on the TALOS boot screen "Reboot into firmware interface".
From there, go to Device manager > Secure boot configuration > secure boot mode > custom mode - press enter.
Then go one menu option down to "custom secure boot options" > PK options > enroll pk > enroll pk using file - press enter.
From there choose the first EFI disk > EFI > KEYS > uki-signing-cert.der - press enter.
Choose "Commit changes and exit".
Press ESC til you're back at the top level menu, then choose "Reset".

All should be well now, and Talos will boot into maintenance mode from the CD.
The menu options are a bit confusing and I'm not sure this is the "right way" but it worked for me.

Hope this helps!
 
  • Like
Reactions: soldatz, bryvo01 and crabgrass
Hey @Nyanchovy thanks for sharing, this will definitely help.

I kind of gave up on it and tried to run talos bare metal instead. I got the same errors and thought perhaps the Talos iso had changed. I ran Talos 1.4 and 1.5 bare metal with secure boot on these same systems. Worked like a charm before so I didn't quite understand why it wouldn't work now.

I'll give it another shot! :D
 
I'm trying this exact thing but having the same problem.

I tried to enroll the certs this way but the machine seems to be keep setting it "standard" mode instead of "custom" mode and I can't seem to make it stick.
 
Nyanchovy said:
Hi,
Not sure if you already figured this out, but I'll reply anyway as I just came across this myself and fixed it.

Choose the second option on the TALOS boot screen "Reboot into firmware interface".
From there, go to Device manager > Secure boot configuration > secure boot mode > custom mode - press enter.
Then go one menu option down to "custom secure boot options" > PK options > enroll pk > enroll pk using file - press enter.
From there choose the first EFI disk > EFI > KEYS > uki-signing-cert.der - press enter.
Choose "Commit changes and exit".
Press ESC til you're back at the top level menu, then choose "Reset".

All should be well now, and Talos will boot into maintenance mode from the CD.
The menu options are a bit confusing and I'm not sure this is the "right way" but it worked for me.

Hope this helps!
Click to expand...
works perfectly - thank you!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom