"Delete System76 and Microsoft keys (Use your own)" doesn't actually delete them

After choosing "Delete System76 and Microsoft keys (Use your own)" in the firmware setup menu, both System76 and Microsoft keys can still be seen with sbkeysync from Linux.

The code hints that only PK is deleted and the computer is immediately rebooted, but the keys of System76 and Microsoft are not actually deleted:

https://github.com/system76/edk2/blob/42a443d5cdf07b55afd92ae1d8e9949c1deed310/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr#L108
https://github.com/system76/edk2/blob/42a443d5cdf07b55afd92ae1d8e9949c1deed310/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c#L4521-L4523
https://github.com/system76/edk2/blob/42a443d5cdf07b55afd92ae1d8e9949c1deed310/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c#L4842-L4858

I would expect all these steps to be performed to actually delete vendor keys:

https://github.com/system76/edk2/blob/42a443d5cdf07b55afd92ae1d8e9949c1deed310/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c#L4181-L4210

	case KEY_SECURE_BOOT_DELETE_PK:
	//GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
	//if (SetupMode == NULL \|\| (*SetupMode) == SETUP_MODE) {
	// IfrNvData->DeletePk = TRUE;
	// IfrNvData->HasPk = FALSE;
	// *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;
	//} else {
	// IfrNvData->DeletePk = FALSE;
	// IfrNvData->HasPk = TRUE;
	// *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
	//}
	//if (SetupMode != NULL) {
	// FreePool (SetupMode);
	//}
	// XXX: Is this safe?
	gRT->ResetSystem(EfiResetCold, Status, 0, NULL);
	break;

	// Clear all the keys and databases
	Status = DeleteDb ();
	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
	DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status));
	return Status;
	}

	Status = DeleteDbx ();
	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
	DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status));
	return Status;
	}

	Status = DeleteDbt ();
	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
	DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status));
	return Status;
	}

	Status = DeleteKEK ();
	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
	DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status));
	return Status;
	}

	Status = DeletePlatformKey ();
	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
	DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status));
	return Status;
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

"Delete System76 and Microsoft keys (Use your own)" doesn't actually delete them #40

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	case KEY_SECURE_BOOT_DELETE_PK:
	Status = DeletePlatformKey();
	break;

"Delete System76 and Microsoft keys (Use your own)" doesn't actually delete them #40

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions