Unenroll keys

[BRTPOB]

I was attempting to get Secure Boot setup on my Surface Book 2 and I seem to have skipped some steps, so I've got sbctl installed but I can't actually get it working as it should. Looking at the help and man pages, there's nothing that explains how to properly unenroll/remove the keys that were generated so that I can start from scratch.

Is there an option/ability to do so, and if so, what are the commands needed for that?

Also feels like this would be good to be documented somewhere, as I'm sure others have run into this as well.

[Liassica]

The process for unenrolling the sbctl-enrolled keys is the same as removing the manufacturer keys (or any other secure boot keys). See steps 1-5 of the example workflow.

As for the keys themselves, I would figure deleting the directory they were installed to (/etc/secureboot by default) would be sufficient, although you could probably reuse them.

[IPlayZed]

@Foxboron Is there the way to query the firmware to reset all keys to vendor provided one programatically from userspace? I see that in the documentation, there is the reset subcommand, but it only resets the PK, not the KEK, DB, DBX.

[Foxboron]

You misunderstand what the reset commands does. It removes the PK to out you into setup mode. You can freely run rotate-keys or enroll-keys.

You can't only enroll vendor provided ones, that isn't the job of sbctl. Use the BIOS menu for that.

[IPlayZed]

Than this issue could be closed to not clutter the actual ones.