There is a dedicated page in the wiki https://wiki.gentoo.org/wiki/Shim
On 22/11/2023 07:06, Federico Angelilli wrote: > Hello, > Thanks for responding. > > I am quite sure I am not using a shim lock at all. I simply signed with the > uefi key the grub image. How would I go about installing a shim? And is it > necessary? > > Thanks, > Federico > > Ps: I followed a guide on gentoo's wiki > > > On November 22, 2023 12:23:07 AM GMT+01:00, Adam Vodopjan > <[email protected]> wrote: > > On 22/11/2023 00:25, Federico Angelilli wrote: > > Hello, A few months ago I decided to turn on secure boot on my dual > os desktop, mainly due to some SB related shenanigans in Windows 11. After a > (fairly long) session of trial and error, I finally got everything to work > like this: 1) Whenever my kernel is built (I'm using a custom kernel) sign it > with the right SB key 2) When updating grub, sign it with the SB key as well > Everything now works: I can boot with SB enabled to grub, then I can either > choose to use the linux signed kernel or the windows chainloader. Except for > a small detail: I can boot even from the unsigned kernels. While I first > thought of it as an error on my configuration, I turned out to be a > shortcoming in grub itself (as far as I understand), that simply cannot > verify sb signatures on its own. > > Have you got shim installed? IIRC grub uses some shim's service to verify > kernels. So under SB you should boot into shim, not into grub directly. There > is also the --disable-shim-lock option in grub-mkimage. Mby that's your case. > > So, how can I set up grub in a way that I can: 1) boot with secure > boot enable to the grub menu 2) only boot from entries that are signed > themselves Thanks, Federico >
