I’m trying to add the keys for IncusOS to a Dell Precision 7820T (TPM 2.0 enabled, secure boot enabled, custom mode, existing keys cleared) but the BIOS setup complains that the keys are in the wrong format.
Any ideas?
Interesting, we’ve never had that error on any DELL server, but their workstation firmware may be made by completely different people 
Any chance you could take a bunch of photos of the various configuration menus so we can see exactly what they’re asking for during custom serup?
We provide the keys as DER as that’s what we’ve seen every firmware support so far for manual enrollment, but maybe we just found the one implementation that requires PEM instead?
I thought I’d sit down and walk you through this with some nice screen shots, but wanted to get the current keys first, so booted into an Ubuntu Live session and used eft-reader to have a look:
Variable PK, length 704
PK: List 0, type X509
Signature 0, size 676, owner 12f075e0-2d07-493d-811a-00920a72c04c
Subject:
CN=Incus OS - Secure Boot PK R1, O=Linux Containers
Issuer:
CN=Incus OS - Secure Boot E1, O=Linux Containers
Variable KEK, length 705
KEK: List 0, type X509
Signature 0, size 677, owner 12f075e0-2d07-493d-811a-00920a72c04c
Subject:
CN=Incus OS - Secure Boot KEK R1, O=Linux Containers
Issuer:
CN=Incus OS - Secure Boot E1, O=Linux Containers
Variable db, length 1413
db: List 0, type X509
Signature 0, size 679, owner 12f075e0-2d07-493d-811a-00920a72c04c
Subject:
CN=Incus OS - Secure Boot 2025 R1, O=Linux Containers
Issuer:
CN=Incus OS - Secure Boot E1, O=Linux Containers
db: List 1, type X509
Signature 0, size 678, owner 12f075e0-2d07-493d-811a-00920a72c04c
Subject:
CN=Incus OS - Secure Boot 2026 R1, O=Linux Containers
Issuer:
CN=Incus OS - Secure Boot E1, O=Linux Containers
Variable dbx, length 1691
dbx: List 0, type X509
Signature 0, size 1663, owner 00000000-0000-0000-0000-000000000000
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows PCA 2010
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Variable MokList has no entries
So, colour me surprised: it looks like the IncusOS keys are actually installed. The error messages that the BIOS was displaying might be bogus!?
I’m tempted to clear the CMOS and re-flash the BIOS just to try again.
Ah, interesting. I guess your SecureBoot isn’t in enforce mode right now as you’d otherwise have been unable to boot the live Ubuntu media with that config in place.