Skip to main content
Start a Conversation

Unsolved

Devshah

1 Rookie

 • 

2 Posts

320

April 3rd, 2025 03:58

Precision 7920 - Issue Deleting Platform Key (PK) for Secure Boot

I am experiencing an issue with managing the Platform Key (PK) in the BIOS of my Dell Precision 7920 desktop. My system has TPM (Trusted Platform Module) enabled.

I previously enrolled custom keys in the BIOS to enable Secure Boot with a Linux distribution. I have now installed a new Linux distribution and need to enroll a new set of custom keys to be able to enable Secure Boot.

However, I am unable to delete the existing Platform Key. I have attempted the following actions within the BIOS Custom Key Management settings:

  1. Reset All Keys: This action cleared the other key databases (like KEK, db, dbx), but the original Platform Key remains.
  2. Factory Reset: Performing a factory reset of the BIOS also did not remove the existing Platform Key nor revert it to the default Dell PK (PKDefault).
  3. Delete All Keys: I have tried the option to delete all keys within the Custom Key Management section, but the Platform Key persists.
  4. Deleting Individual Keys: I also attempted to delete the individual Platform Key, but it did not result in the key being removed.

The screenshot below shows the efi variables and the PK is different even after a factory reset

It appears that only the forbidden signature database (dbx) was successfully cleared through these attempts.

My goal is to either delete the current Platform Key so I trigger setup mode and  enroll new custom keys for my current Linux installation or force the system to use the Dell PKDefault key so that I can install windows 11 with secure boot enabled and sell my computer. Unfortunately, I no longer have access to the signing key that was used to enroll the initial custom Platform Key.

Could you please provide guidance on how to completely remove the existing Platform Key from my Precision 7920 BIOS or how to force it to utilize the PKDefault key? I need to do this to successfully configure Secure Boot with my new Linux distribution.

Thank you for your time and assistance.

Sincerely,

devshah

Chino de Oro

9 Legend

 • 

8.1K Posts

April 3rd, 2025 22:34

Clear your TPM to see if it may help.

Devshah

1 Rookie

 • 

2 Posts

April 4th, 2025 04:24

Thank you for the suggestion. After attempting to clear the TPM, the issue persists. Based on the UEFI specification version 2.7, section 31.3.2, clearing the Platform Key (PK) should be possible through either:

  1. Signing a new PK with the existing PK, which is not feasible in my case due to the absence of the current PK's private key.
  2. A secure, platform-specific method, which I believe the 'delete all keys' option is intended to execute.

Therefore, my question is: If the 'delete all keys' method is failing to clear the PK, is this a BIOS bug, and who should I contact to report it?

Chino de Oro

9 Legend

 • 

8.1K Posts

April 4th, 2025 04:45

For warranty and technical support, click on Get Help Now button on lower right of this screen.  

user9486

1 Rookie

 • 

11 Posts

April 14th, 2025 10:38

I would suggest looking into this Cybersecurity Technical Report published by the National Security Agency in 2023:

UEFI Secure Boot Customization

The authors of this technical report recommend using Keytool.  I know it is not the answer you are looking for—as me, you would prefer this ability being implemented in firmware but at least we have a workaround to remove the dangerous platform key from our workstations:

Keytool may or may not have the ability to replace or delete the existing keys and start fresh depending on UEFI implementation. Keytool is usually a reliable way to replace the PK even when UEFI configuration or command line calls fail.

Let us know if it works for you.

(edited)

Was this post helpful?

View All

No Events found!

Top