Store Page
Steam Deck
All Discussions Artwork Videos News Guides Reviews

Steam Deck

Store Page
Steam Deck > General Discussions > Topic Details
Kogut Nov 16, 2022 @ 5:07pm
Removing Secure Boot Platform Key
I work for Balena (the company that develops Etcher) on the OS team, developing our container-based application platform. I'm working on supporting secure boot for PCs running our operating system, at the request of several of our users.

In testing key enrollment, we've found that the firmware on some platforms behaves differently from others. For example, QEMU/OVMF doesn't allow platform key enrollment using efi-updatevar, even in setup mode, but sbctl works fine. Today, I was working on testing various PCs I have at my disposal to figure out which tools and processes work best in our application.

Unfortunately, after enrolling the platform key on my Steam Deck, it seems I'm unable to reset the platform key to disable secure boot, rendering my Deck unable to boot Steam OS again. I've checked the firmware menu, but I've found no option to delete the keys and re-enter setup mode as I've seen on other devices. Clearing the TPM and/or resetting to defaults doesn't disable secure boot either.

How can I erase the platform key and disable secure boot?
Last edited by Kogut; Nov 16, 2022 @ 5:12pm
< >
Showing 1-15 of 16 comments
MeerFlunder Nov 17, 2022 @ 12:59pm 
Extract the SSD and try to disable secure Features on Steam SSD within another Environment, and or try to disable behaviour on Deck with another fresh SSD?
#1
Jake Sully Nov 17, 2022 @ 2:57pm 
Originally posted by Ltn. Bloodfeast {-_-}:
Extract the SSD and try to disable secure Features on Steam SSD within another Environment, and or try to disable behaviour on Deck with another fresh SSD?
That won't work. Secure features is in bios. Might be a bug in bios firmware that locks secure boot from being disabled.
Last edited by Jake Sully; Nov 17, 2022 @ 2:57pm
#2
Man's Best Friend Nov 17, 2022 @ 3:37pm 
Originally posted by Jake Sully:
That won't work. Secure features is in bios. Might be a bug in bios firmware that locks secure boot from being disabled.
Well, officially the Deck doesn't support Secure Boot at all, so there aren't any user facing options for it to begin with. Which does make it interesting that apparently the system does at least internally support Secure Boot, otherwise the keys shouldn't be able to get set in any way that would actually work.

Not knowing much about managing Secure Boot, are there any tools that run within Windows (or whatever OS you added keys for) that allow key management? I suspect not as that would pretty much defeat the point.

This may be a case of needing Valve to officially support Secure Boot (though, I'm not sure you could install the update anyway...) or needing to send the Deck to Valve for service or replacement.
#3
Stressed Nov 18, 2022 @ 2:12am 
The real question for a lot of users is can you install Windows 11 on it and run FIFA 23?
#4
PopinFRESH Nov 18, 2022 @ 8:00am 
@Kogut, have you already tried reflashing SteamOS via the recovery image?

Originally posted by HTTP Error 418: I'm a teapot:
Well, officially the Deck doesn't support Secure Boot at all, so there aren't any user facing options for it to begin with. Which does make it interesting that apparently the system does at least internally support Secure Boot, otherwise the keys shouldn't be able to get set in any way that would actually work.

Not knowing much about managing Secure Boot, are there any tools that run within Windows (or whatever OS you added keys for) that allow key management? I suspect not as that would pretty much defeat the point.

This may be a case of needing Valve to officially support Secure Boot (though, I'm not sure you could install the update anyway...) or needing to send the Deck to Valve for service or replacement.

Secure Boot is part of the UEFI specification since version 2.3.1 of the spec and Steam Deck is UEFI only as far as I could tell from the firmware interface. It is not that the Steam Deck doesn't support Secure Boot. The firmware just doesn't currently have any user accessible key management, however, the firmware can already have pre-enrolled keys. There are tools to manage keys and key enrollment, such as sbctl that the OP noted.
#5
Kogut Nov 18, 2022 @ 9:07am 
Originally posted by PopinFRESH:
have you already tried reflashing SteamOS via the recovery image?

Unfortunately, I have doubts that even the recovery image will work, as the bootloader/kernel aren't signed by the key my system is locked down with.
Last edited by Kogut; Nov 18, 2022 @ 9:10am
#6
Kogut Nov 18, 2022 @ 9:09am 
I was able to acquire a `noPK.auth` that should work here, but it seems it doesn't.

/ # efi-updatevar -f /mnt/boot/noPK.auth PK Failed to update PK: Invalid argument
Last edited by Kogut; Nov 18, 2022 @ 9:10am
#7
Kogut Nov 18, 2022 @ 9:14am 
It seems my options here are currently limited to doing what I can within my power to reset the PK and tip the device back into setup mode. It would be nice if the setup menu had an option like many PCs to reset the secure efivars and turn off secure boot in cases like this.

I'm not upset at Valve for not including it, this was my doing, but it would be nice to have nonetheless. Regardless, even if/when Valve includes this option, I would still need to disable secure boot on my device before I would be able to update.
#8
Kogut Nov 18, 2022 @ 9:31am 
Originally posted by Stressed:
The real question for a lot of users is can you install Windows 11 on it and run FIFA 23?

I assume this is possible, just understandably not supported by Valve. The Deck ships with, and is supported using SteamOS. If you can figure out how to enroll Microsoft's keys in your firmware, secure boot works, though there's currently no mechanism to reset it outside of the OS. I'm also unclear on whether you could remove Microsoft's PK at all and tip your device back into setup mode without their private key, which you won't get.

At least in my case I may be able to convince my colleague to share the signing key with me so I can unlock my device.
#9
Kogut Nov 18, 2022 @ 10:47am 
I was able to remove the PK and move the device back into setup mode using the private key. SteamOS works again.

/ # chattr -i /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c / # efi-updatevar -d 0 -k /mnt/boot/PK.key PK / # sbctl status Installed: ✓ sbctl is installed Owner GUID: 1d3cba99-e90d-40ab-97f9-6aad83c64b6d Setup Mode: ✗ Enabled
#10
Stressed Dec 11, 2022 @ 4:35pm 
Hi Kogut, I'm interested in enabling Secure Boot on my Steam Deck. Any chance you could provide some instructions on how to do this please? Thanks in advance.
#11
10Minute*****DeckGamer Dec 14, 2022 @ 12:58pm 
here's my write up about secureboot which i find interesting.

TLDR: Valve didnt ship the PK KEK and DB for Steam Deck thats why Secure Boot is disabled.
Enrolling / generating your own keys will activate and enable Secure Boot.

https://github.com/ryanrudolfoba/SecureBootForSteamDeck
#12
nix Dec 14, 2022 @ 1:47pm 
I note from the boot log that the tpm module is blacklisted too. I guess Valve knew what they were doing when they did that.
#13
Stressed Dec 14, 2022 @ 11:50pm 
Originally posted by nix:
I note from the boot log that the tpm module is blacklisted too. I guess Valve knew what they were doing when they did that.
So you're saying Valve deliberately stopped Secure Boot from working?
#14
nix Dec 15, 2022 @ 5:34am 
I don't know *why* it's blacklisted. Maybe they installed it and found something broke, so turned it off again until it was actually necessary? You'd have to ask them.
#15
< >
Showing 1-15 of 16 comments
Per page: 1530 50

Steam Deck > General Discussions > Topic Details
Date Posted: Nov 16, 2022 @ 5:07pm
Posts: 16

Discussions Rules and Guidelines