Source: shim Version: 15.4-7 Severity: normal Hi,
I was trying to follow https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key to be able to sign my locally built kernels (especially for debugging purposes). As I already have a signing setup using my OpenPGP smartcartd, and I prefer not having the private key on the same system as the code to be signed, I tried to use the signature key on my smartcard to generate an autosigned certificate, then import that certificate to the MOKList using the steps described in the wiki. Unfortunately, while importing the key itself (mokutil --import + the step after reboot) works, after that shim freezes when loading the grubx64.efi image (according to debug logs with mokutil --set-verbosity true). In order to rule out any issue with the smartcard setup, I used the exact steps described in the wiki, replacing rsa:2048 by rsa:4096 in the key generation. The same behavior is exhibited, so it really looks like RSA 4096 is not totally supported in shim. What's weird is when using the boot menu on my laptop and trying to load fwupdx64.efi, it somehow tries to load grubx64.efi and fwdupx64.efi and this time it manages to load properly, so there's definitely something fishy here. The test were done on a LENOVO Thinkpad X280 laptop with latest firmware. If you need more information, please ask! Regards, -- Yves-Alexis -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.18.0-2-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled