Hello, I apologize if this has already been answered somewhere. I did a cursory search of the mailing list history, but didn't find a clear answer.
I have my own 4096-bit RSA PK, KEK, and DB key enrolled in my BIOS. I have signed grub with the DB key, and it boots correctly. Rather than using shim / MOKmanager / etc., I would like to have GRUB read the DB variable from the EFI store and use the certificates stored there to validate my initrd / vmlinux. I haven't found a way to do this yet. I can sign my initrd/vmlinux with a GPG key which I then store in my boot partition, but would like to be able to instead use the one set of keys from the UEFI DB variable to validate everything. Can this be done? Thanks! -Aaron Pace
