[TUTORIAL] Re-enroll UEFI keys.

[tomtom13]

Hi,
one of machines decided go kick it's mortal coil. Machine got replaced, but old disks have been moved to the new machine. Now, UEFI is stating that it can't boot it becuase it doesn't have a right signature.

Is there any how-to etc on how to install debian / shim keys into the bios, so that machine can boot up ?

 

[tomtom13]

Ok, so I've managed to get this working with AMPLE of searches. For prosperity:

1. boot up the machine in unsecured mode.
2. let the cluster stabilise - specially if you have ceph on that node
3. check your boot UEFI entries and

efibootmgr -v

4. if you don't have a proxmox entry, then well, you should do something about it
5. IF and only IF you previously installed your system with secure boot on previous machine nad you're just shifting disks, you should be safe for next step, if not, you have to do some leg work.
6. find out where you EFI partition is, with

lsblk -o +FSTYPE

, just be VERY AWARE that your VM's will also show in that listing, so you need to find your real true harddrive partition, should looke like this

├─nvme0n1p2                      259:3    0     1G  0 part             vfat

7. use that partition data along with magical proxmox tool (thanks guys for that):

proxmox-boot-tool init /dev/nvme1n1p2 grub

8. ???
9. PROFIT

Hope that helps.


edit: I can't stress enough how nice it is that that utility is present, it does all the required steps and makes sure that grub is installed in propper fashion including enrolment of the proxmox key to the UEFI. Without it you would have to find where your key database is in your system, find the right entry, enrol it, not slip a finger when calling grub install etc etc etc. Everything "just works".

 

[tomtom13]

It's a bit ironic today I had exactly the same model machines fail in exactly the same way and I had to move all the disks to the spare chassis and use my own guide.

 

[esi_y]

May I ask what value does SecureBoot bring to your setup (and maintenance workload), especially with the shim?

BTW You may help more people finding your piece if you mark it as [TUTORIAL], that's available when you edit the title, actually it's top right and called "edit thread".

 

[tomtom13]

Thanks for the advice on tutorial bit.
About the UEFI, well it's an interesting question. I don't get any more maintenance. I only run my own test clusters, and converted two "entities" to using proxmox, so their admin does the heavy lifting - but from my experience, there is no extra work required on box standard deployment.
Now about the value, oh boy. You don't know the value of security until you get you arse handed to you by an attacker. I had a boot chain infection once in the past (non x86 machine) and I learned my lesson not to ignore it. Since then whenever there was out of the box option for root of trust, I used it. One project I was awarded to actually implement boot chain of trust, fun fact is that one of their guys told me that previous project manager didn't believe in encryption and was let go. Let me tell you the state of project was so dire that once or twice I wondered my self whenever previous guy didn't work for "the other side", what's funnier is that units were meant to be used in "adverse environment" with high probability of tampering.