[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Difficulty Enabling Secure Boot with Custom Keys
From: |
Scott Colby |
Subject: |
Difficulty Enabling Secure Boot with Custom Keys |
Date: |
Wed, 07 Oct 2020 11:26:58 -0400 |
User-agent: |
Cyrus-JMAP/3.3.0-407-g461656c-fm-20201004.001-g461656c6 |
Hello,
I am trying to enable secure boot with GRUB on the latest Debian
10 with custom secure boot keys. Unfortunately, I am receiving an
error from GRUB: "error: /vmlinuz-4.19.0-11-amd64 has invalid
signature".
Here are the steps that I have taken:
- generated 3 keys for the PK, KEK, and db key
- added those to my system's firmware
- signed ESP/EFI/debian/grubx64.efi with the db key
- signed /boot/vmlinuz-4.19.0-1{0,1}-amd64 with the db key
- enabled secure boot
My system firmware happily loads the signed grubx64.efi and takes
me to the boot menu. I think I am lacking some understanding of how
GRUB verifies the signatures of the kernel image that it loads--I
thought that it would compare the signature to the db key from the
EFI variables, but that doesn't seem to work.
Here are the troubleshooting steps I have tried:
- running update-grub and update-initramfs: no change
- removing the extra signature on the kernel images (in my initial
configuration, they had been signed by both my and Debian's key):
no change
What am I missing here?
Thank you,
Scott Colby
- Difficulty Enabling Secure Boot with Custom Keys,
Scott Colby <=