Yes, I added my key to the uefi pk db. Sorry for being vague but a while passed.
Anyway, everyone seems to agree that for my use case I need the shim. However, for what I found online (not a lot truthfully) it is a tool separated from grub made by debian and verified directly by microsoft. Since I'm not using a distro with shim preinstalled, could you point me on some guide explaining from scratch how to add it? Thanks, Federico On November 22, 2023 8:59:16 AM GMT+01:00, Andrei Borzenkov <[email protected]> wrote: >On Wed, Nov 22, 2023 at 10:37 AM Federico Angelilli <[email protected]> wrote: >> >> Hello, >> I already imported the sb keys from the uefi and signed my grub image. >> However the problem is that apart from the uefi verification of the grub >> image itself, no other verification is done by grub. > >grub is using shim services to verify Linux kernel. You must use shim. >If you already replaced standard Microsoft PK and KEK with your own >(at least, that is how I interpret "imported the sb keys from the >uefi" which is pretty vague), you can sign the shim with your key to >authorize it. > >> This would mean that I can actually boot on unsigned kernels from grub (with >> sb enabled!). But I can sign correctly both the kernel and grub as of now. >> >> >> >> On November 22, 2023 6:40:18 AM GMT+01:00, Mathias Radtke <[email protected]> >> wrote: >> >Hi, >> > >> > >> > >> >So, how can I set up grub in a way that I can: >> >1) boot with secure boot enable to the grub menu >> > >> >You would need to import your key into the SecureBoot Database in your >> >machines UEFI. >> >This way your system knows this signature is valid. >> >The official way would be to build a shim with your PubCert inside and let >> >it sign by Microsoft so you can get an officially verified shim that can >> >start your own signed grub. This way is a very long route and involves a >> >review process. As you are using it solely for yourself you don't need it. >> > >> >Regards >> > >> >Mathias >> >
