Hello,
A few months ago I decided to turn on secure boot on my dual os desktop,
mainly due to some SB related shenanigans in Windows 11.
After a (fairly long) session of trial and error, I finally got
everything to work like this:
1) Whenever my kernel is built (I'm using a custom kernel) sign it with
the right SB key
2) When updating grub, sign it with the SB key as well
Everything now works: I can boot with SB enabled to grub, then I can
either choose to use the linux signed kernel or the windows chainloader.
Except for a small detail: I can boot even from the unsigned kernels.
While I first thought of it as an error on my configuration, I turned out to
be a shortcoming in grub itself (as far as I understand), that simply
cannot verify sb signatures on its own.
So, how can I set up grub in a way that I can:
1) boot with secure boot enable to the grub menu
2) only boot from entries that are signed themselves
Thanks,
Federico
