[uefi-secure-boot-guide] master: List steps which may allow switching Secure Boot status in the firmware (bb1bf13)
fweimer at fedoraproject.org
fweimer at fedoraproject.org
Mon Dec 1 19:09:11 UTC 2014
Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git
On branch : master
>---------------------------------------------------------------
commit bb1bf13a819a558ea3c275d0e1fe39022ed8594d
Author: Florian Weimer <fweimer at redhat.com>
Date: Mon Dec 1 20:07:50 2014 +0100
List steps which may allow switching Secure Boot status in the firmware
>---------------------------------------------------------------
en-US/System_Configuration.xml | 84 ++++++++++++++++++++++++++++++++++++++++
1 files changed, 84 insertions(+), 0 deletions(-)
diff --git a/en-US/System_Configuration.xml b/en-US/System_Configuration.xml
index 2488485..5345022 100644
--- a/en-US/System_Configuration.xml
+++ b/en-US/System_Configuration.xml
@@ -314,6 +314,90 @@ enabled.
</para>
</section>
+<section id="sect-UEFI_Secure_Boot_Guide-System_Configuration-Additional">
+<title>Additional steps to enable the Secure Boot firmware option</title>
+<para>
+On some systems, the firmware option to switch the Secure Boot state
+is not always active and cannot be selected. The following additional
+measures are worth a try.
+</para>
+<itemizedlist>
+ <listitem>
+ <para>
+ Set a non-empty supervisor password in the firmware. This may
+ enable the Secure Boot option. After toggling this option, you
+ can remove the supervsior password again. Depending on the
+ firmware, you may have to set the password to an empty string to
+ disable it.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Firmware may only allow changing the Secure Boot settings after
+ a physical presence check. The following keyboard options may
+ not pass the physical presence check:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ a USB keyboard connected to a laptop
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ a Bluetooth keyboard
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ a serial console
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ an IP KVM solution or other remote management facility
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ You can try the following options instead where applicable:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ a built-in keyboard or touch screen
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ a USB keyboard connected to a docking system, which in turn
+ is connected to a laptop
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ a PS/2 keyboard
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ a keyboard directly connected to a server (and not a remote
+ KVM solution)
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>
+ The Secure Boot option might be protected, but access to the
+ Secure Boot key store is not. Removing all keys in the key
+ store can disable Secure Boot even if the separate option for
+ this purpose cannot be switched off.
+ </para>
+ </listitem>
+</itemizedlist>
+</section>
+
<section>
<title>Known issues</title>
<para>
More information about the docs-commits
mailing list