On 12.08.2022 19:27, Akshath Hegde wrote: > Hi, > I'm trying to bring up ubuntu on qemu with secure boot enabled. I have > registered PK, KEK and db, and enabled secure boot option. > > In the initial grub.cfg file under ESP, I have set check_signatures to > enforce. This file is signed by my gpg key. After this I'm creating a grub > image with --pubkey option set to gpg key
It all is rather vague. There are private and public keys and it is unclear what you used. What file format "gpg key" has etc. > file and modules containing " > pgp verifiers gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa" > Never describe what you did. Always copy and paste exact commands with full output. > The created grubx64.efi, vmlinuz are signed with db key and all the grub > modules, the second grub cfg file, vmlinuz and initrd are signed with my > gpg key > > But with this the image fails to boot. In the grub console, I see > list_trusted is empty. This implies that whatever you used as "gpg key" is not recognized as valid GPG public key by grub. Can you load the same file manually on grub command line? > But in the grub image hexdump I see the key is > present and pgp has been included in the modules while creating the image. > On the console, insmod gpg doesn't seem to change this either as trusted > list is still empty. I have set debug to loader,verify, but don't see any "insmod gpg" after core.img was loaded does not add any keys. You have to do it manually with "trust" command. > messages coming up. > Any help in debugging further would be appreciated > > Thanks > Akshath
