How to remove OEM keys

A quick guide for Linux systems

Eligibility

To check if you have OEM key do:

[ -f /sys/firmware/acpi/tables/MSDM ] && echo "OEM key was found." || echo "You do not have any OEM keys."

To check if it's possible to remove them:

ls /sys/firmware/efi/efivars/OA* &>/dev/null && echo "You may be able to remove them!" || echo "The OEM key may be stored somewhere else instead of NVRAM."

If the OEM key was found but is stored somewhere else, you may have to flash the BIOS with a removed OEM key version. This could be done using flashrom or an external programmer.

Deleting the key

sudo chattr -i /sys/firmware/efi/efivars/OA*

This will remove the removal protection that blocks even with sudo.

sudo rm /sys/firmware/efi/efivars/OA*

Finally, this will remove them completely.

Completion

You may want to reboot for changes to apply. To reboot:

sudo reboot

Check again whether or not the OEM key has been finally removed using the command at the top.

That’s it! You have now fully locked into Linux, no more OEM bloat!