Invalid signature

[Anninzy]

I followed the quickstart up until this point:
https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md#entering-secure-boot-setup-mode

After enabling secure boot, attempting to boot leads to

Secure Boot Violation
Invalid signature detected. Check Secure Boot Policy in Setup

Selecting OK on this prompt boots to Windows

Disabling secure boot lets me boot into NixOS again

[kuflierl]

What does sbctl status say?

[Anninzy]

Installed:	✓ sbctl is installed
Owner GUID:	3751042f-e4d5-43b7-93a5-795c0b10b79d
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft builtin-db builtin-KEK builtin-PK

[kuflierl]

Installed:	✓ sbctl is installed
Owner GUID:	3751042f-e4d5-43b7-93a5-795c0b10b79d
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft builtin-db builtin-KEK builtin-PK

looks good, you enrolled the keys just fine. what does sudo sbctl verify say tho?

[Anninzy]

That gives

✓ /boot/EFI/Boot/bootx64.efi is signed
✓ /boot/EFI/Linux/nixos-generation-115-pqfwc4j35ygmm5ksl4n2dcwcbrcv3davd47bo2yne5zj2ses6emq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-116-6aedznfg5smiyd2tyrrtzhjyvjujqqm4h3yspvpelstzghh2xvyq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-117-rediefxa5wu34bykbmhudh2onp3qbss7c6wuuj3ovaib3vyblrna.efi is signed
✓ /boot/EFI/Linux/nixos-generation-118-t6sphlvwfqyr3jnm5evwj4f5ambtkaunzyjx6wmww74cbclkwkzq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-119-sdp3l2sjhizj7z55zqqhoxo55erjm2bk36hleznspztdjwgqrmuq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-120-c76siqzagh6fkn6jvfhixezeebpn2hh3gdxqko3b53yoqsmwy6za.efi is signed
✗ /boot/EFI/Microsoft/Boot/Resources/bootres.dll is not signed
✗ /boot/EFI/Microsoft/Boot/Resources/en-US/bootres.dll.mui is not signed
✗ /boot/EFI/Microsoft/Boot/SecureBootRecovery.efi is not signed
✗ /boot/EFI/Microsoft/Boot/bg-BG/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/bg-BG/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/bootmgfw.efi is not signed
✗ /boot/EFI/Microsoft/Boot/bootmgr.efi is not signed
✗ /boot/EFI/Microsoft/Boot/cs-CZ/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/cs-CZ/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/cs-CZ/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/da-DK/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/da-DK/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/da-DK/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/de-DE/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/de-DE/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/de-DE/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/el-GR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/el-GR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/el-GR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-GB/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-GB/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-US/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-US/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/en-US/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-ES/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-ES/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-ES/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-MX/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/es-MX/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/et-EE/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/et-EE/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fi-FI/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fi-FI/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fi-FI/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-CA/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-CA/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-FR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-FR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/fr-FR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hr-HR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hr-HR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hu-HU/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hu-HU/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/hu-HU/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/it-IT/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/it-IT/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/it-IT/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ja-JP/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ja-JP/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ja-JP/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_10df.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_10ec.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_14e4.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_15b3.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_1969.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_19a2.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_1af4.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_02_8086.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_07_1415.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kd_0C_8086.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kdnet_uart16550.dll is not signed
✗ /boot/EFI/Microsoft/Boot/kdstub.dll is not signed
✗ /boot/EFI/Microsoft/Boot/ko-KR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ko-KR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ko-KR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/lt-LT/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/lt-LT/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/lv-LV/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/lv-LV/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/memtest.efi is not signed
✗ /boot/EFI/Microsoft/Boot/nb-NO/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nb-NO/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nb-NO/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nl-NL/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nl-NL/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/nl-NL/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pl-PL/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pl-PL/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pl-PL/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-BR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-BR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-BR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-PT/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-PT/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/pt-PT/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/qps-ploc/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ro-RO/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ro-RO/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ru-RU/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ru-RU/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/ru-RU/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sk-SK/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sk-SK/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sl-SI/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sl-SI/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sr-Latn-RS/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sr-Latn-RS/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sv-SE/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sv-SE/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/sv-SE/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/tr-TR/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/tr-TR/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/tr-TR/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/uk-UA/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/uk-UA/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-CN/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-CN/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-CN/memtest.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-TW/bootmgfw.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-TW/bootmgr.efi.mui is not signed
✗ /boot/EFI/Microsoft/Boot/zh-TW/memtest.efi.mui is not signed
✗ /boot/EFI/nixos/kernel-6.12.21-cmcjqatqft6ng3fzjrqiwcupsvkai26ep2i4q6vnt4x65ip5nb6a.efi is not signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed

[wtestcase]

Same here. I'm on an Acer Nitro N50-620. My BIOS doesn't have an option to enter setup mode, the only key management option is to delete all keys, and I can't manually delete the PK from BIOS, I've tried with efitools' efi-updatevar, but that didn't work either.

[kuflierl]

Same here. I'm on an Acer Nitro N50-620. My BIOS doesn't have an option to enter setup mode, the only key management option is to delete all keys, and I can't manually delete the PK from BIOS, I've tried with efitools' efi-updatevar, but that didn't work either.

Deleting all keys "should" be fine as long as you:

1. don't have anything important on your tpm
2. update your Secure Boot Revocation List after the setup
3. handle vendor specific firmware signing (sbctl enroll microsoft or enroll tpm should be fine)

If you do, do at your own risk. I did this and it worked just fine