Hello, Thanks for responding. I am quite sure I am not using a shim lock at all. I simply signed with the uefi key the grub image. How would I go about installing a shim? And is it necessary?
Thanks, Federico Ps: I followed a guide on gentoo's wiki On November 22, 2023 12:23:07 AM GMT+01:00, Adam Vodopjan <[email protected]> wrote: > >On 22/11/2023 00:25, Federico Angelilli wrote: >> Hello, >> A few months ago I decided to turn on secure boot on my dual os desktop, >> mainly due to some SB related shenanigans in Windows 11. >> After a (fairly long) session of trial and error, I finally got everything >> to work like this: >> 1) Whenever my kernel is built (I'm using a custom kernel) sign it with the >> right SB key >> 2) When updating grub, sign it with the SB key as well >> >> Everything now works: I can boot with SB enabled to grub, then I can either >> choose to use the linux signed kernel or the windows chainloader. >> Except for a small detail: I can boot even from the unsigned kernels. While >> I first thought of it as an error on my configuration, I turned out to >> be a shortcoming in grub itself (as far as I understand), that simply cannot >> verify sb signatures on its own. > > >Have you got shim installed? IIRC grub uses some shim's service to verify >kernels. So under SB you should boot into shim, not into grub directly. > > >There is also the --disable-shim-lock option in grub-mkimage. Mby that's your >case. > > >> >> So, how can I set up grub in a way that I can: >> 1) boot with secure boot enable to the grub menu >> 2) only boot from entries that are signed themselves >> >> Thanks, >> Federico >> >>
