On Fri, 2021-03-19 at 17:51 +0000, Oliver, Dario N wrote: > I could not find any docs on what to do after installing 2.x as regards > Secure Boot. > Should I sign that with my own key and perform Secure Boot customization? > Can I use the Machine Owner Keys (MOK) feature of the Linux Shim to get that > verified? > After rebooting with Secure Boot enabled, I got the error messages saying > that multiboot2 and relocator could not be found, which is weird because I > still have them installed in "/boot/efi/EFI/fedora/x86_64-efi/"
If you 'make all' TBOOT, you should get tboot.mb2 file inside tboot folder. That binary can be signed with standard sbsign tool and then loaded from GRUB2 using multiboot2. Looks like Fedora still does not allow to run multiboot2 kernels when Secure Boot is enabled. You should try to build GRUB2 from the upstream and then check if you will be able to boot signed tboot.mb2 file. If you face any issues I can help you and setup QEMU environment where you will be able to check how it works.TXT in QEMU does not work, but at least we should get into point where TBOOT starts and complains that platform is incompatible. I suggest to use MOK, however custom PK or KEK should also work. Generate your own key, provision it to MOK database and sign tboot.mb2 Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
