Hi

Short answer...

https://support.hp.com/us-en/document/c02693833

Turn off the notebook.
Plug the notebook into a power source using the power adapter.
With the notebook off, press and hold the Windows logo key and the B key at the same time (WinKey +B).

NB: On some notebook models, it might be necessary to press and hold the Windows logo key and the V key (WinKey +V).

While pressing those keys, press and hold the Power button on the computer for 2 to 3 seconds, and then release the Power button but continue to hold the Windows logo key and the B or V key until the HP BIOS update screen displays or you hear a beeping sound (usually 8 beeps).

But I feel it is deeper than that.

It may actually be a Boot Loader issue.

Linux Magazine No.  206 January 2018...

Possibly more later.

Hi

I expect you have already covered all of this...

https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot

https://wiki.gentoo.org/wiki/UEFI_Gentoo_Quick_Install_Guide

Installing Gentoo on a UEFI-capable system is now covered by the Gentoo Handbook. Please follow the relevant steps in the Handbook when running on a UEFI-enabled boot medium such as the LiveDVD or the Gentoo-based SystemRescueCD

 Doubt this is relevant, but you cangoogle for it...

efibootmgr  --create --label "My Gentoo"  loader MyGentoo.efi

If succesful you get a message, typically

BootCurrent: 0000

Timeout 2 seconds

BootOrder:  0000.0001

Boot0000* gentoo

Boot0001* My Gentoo

The boot configuration works - GRUB is installed and configured with efibootmgr to boot by default.

The secure boot also works as the GRUB binary is signed and trusted by the key chain I enrolled and secure boot seems to be enabled:

# hexdump /sys/firmware/efi/efivars/SecureBoot-* | awk '{print $4}' 
0001

It looks like some configuration variable got corrupted and BIOS got confused or there is some silent assumption in the BIOS about the presence of certain OEM keys in the keystore. At the moment the keystore only contains my custom keys:

# efi-readvar
Variable PK, length 811
PK: List 0, type X509
    Signature 0, size 783, owner 87c66d29-3c87-499f-8b2c-841f740c7df5
        Subject:
            CN=fozzie PK
        Issuer:
            CN=fozzie PK
Variable KEK, length 813
KEK: List 0, type X509
    Signature 0, size 785, owner 87c66d29-3c87-499f-8b2c-841f740c7df5
        Subject:
            CN=fozzie KEK
        Issuer:
            CN=fozzie KEK
Variable db, length 1620
db: List 0, type X509
    Signature 0, size 783, owner 87c66d29-3c87-499f-8b2c-841f740c7df5
        Subject:
            CN=fozzie DB
        Issuer:
            CN=fozzie DB
db: List 1, type X509
    Signature 0, size 781, owner 6f307028-9ae7-49d7-af6e-f91a5e90c4a1
        Subject:
            CN=kriss DB
        Issuer:
            CN=kriss DB
Variable dbx has no entries
Variable MokList has no entries

Hi

If you were using 'shim' there should be a MOK (Machine Owners Key) registered.

To use this you must generate your own key, you have, to match with your own hand rolled kernel, Gentoo.

Generate Key Pair - openssl

Sign Modules - sign-file

Secure the Private Key - VeraCrypt

Store Certificate as MOK

&  Assign Password                       - mokutil

Restart Linux  -  Reboot

###

Select Function

Check Certificate

Enter PassWord  - Enroll MOK

Like I described in the first post - I did not use any shim or MOK.

I have completely erased the existing keystore and deployed my own certificates (PK, KEK, DBs) and signed GRUB with a certificate listed in the DB.

OK

You skipped 25% of the boot process.

Secure Boot needs the OS signing and you say you haven't done that?

So replace the BIOS as in my first post.

BYE.

Like I said: all keys are deployed and the OS (GRUB in my case) is signed. The secure boot process works as far as I can tell. I am writing this post from the laptop in question, which is a good enough proof for it.

I will see what I can do with the BIOS update.

In any case replacing the BIOS will fix things by reverting the changes I've done. This will however not solve the problem as I expect that when I try to activate secure boot using my custom keys the black screen will be back - this is however another problem - likely one for HP developers to fix.

For now this is proving to be a nightmare.

I have tried the Win+B combination and the only reaction I can see is that the fan starts spinning full speed just as if the CPU was in a busy loop. No beeps, no LEDs, no screen, nothing. Waited around a minute and gave up.

I got a second, identical laptop from a collegue at work to serve as a guide for blindly walking through the menus. I have initially tried to walk through the BIOS Setup to reset it to factory settings, but I noticed that I was not hearing the beeps where I was hearing them on the working laptop's BIOS Setup so this got me to the conclusion that the Setup is not working.

Next I have tried to prepare a USB stick with the BIOS image to upgrade. This turned out to be a challenge. HP allows to do this via the BIOS updater program, which is delivered with each BIOS update package. Unfortunately some $%$%hole designed it so that you cannot even build such a Rescue USB unless you run it on the exact same laptop model (chicken-and-egg problem).* While I have a second laptop, both of them are running Linux. I have tried this on a Windows VM, but it fails as it cannot recognize the hardware.

I have also tried to manually place the BIOS .BIN file on a blank FAT32-formatted USB stick in the path requested by the BIOS Update (EFI/HP/BIOS/New, Helwett-Packard/BIOS/New), but the built-in updater was unable to recognize them - probably some additional magic is needed, which is nowhere documented.

This starts to look like a motherboard replacement will be the only solution.

* The updater retrieves the hardware information from WMI. This is perfectly fine when you'd like to do the actual upgrade as it will stop you from flashing a BIOS for a different laptiop model. What I do not understand is why this updater does those checks even when trying to build a rescue USB - this operation will not touch the actual BIOS and should be perfectly safe to do on any computer - not necessarily a compatible one.

Right, I was able to fool the HP BIOS Updater utility to think that my Windows VM is a HP EliteBook 840 G3 latop by fabricating some SMBIOS data:

<sysinfo type='smbios'>
  <bios>
    <entry name='vendor'>HP</entry>
    <entry name='version'>N75 Ver. 01.18</entry>
    <entry name='date'>10/17/2017</entry>
    <entry name='release'>1.18</entry>
  </bios>
</sysinfo>

https://libvirt.org/formatdomain.html#elementsSysinfo

After doing this the HP BIOS Updater utility was able to create a BIOS recovery USB which I managed to use for upgrading the BIOS on the broken laptop. Unfortunately however nothing has changed (besides the BIOS version of course). Screen is still blank and Linux still boots as before.