[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Difficulty Enabling Secure Boot with Custom Keys

From: Scott Colby
Subject: Difficulty Enabling Secure Boot with Custom Keys
Date: Wed, 07 Oct 2020 11:26:58 -0400
User-agent: Cyrus-JMAP/3.3.0-407-g461656c-fm-20201004.001-g461656c6


I am trying to enable secure boot with GRUB on the latest Debian
10 with custom secure boot keys. Unfortunately, I am receiving an
error from GRUB: "error: /vmlinuz-4.19.0-11-amd64 has invalid

Here are the steps that I have taken:

- generated 3 keys for the PK, KEK, and db key
- added those to my system's firmware
- signed ESP/EFI/debian/grubx64.efi with the db key
- signed /boot/vmlinuz-4.19.0-1{0,1}-amd64 with the db key
- enabled secure boot

My system firmware happily loads the signed grubx64.efi and takes
me to the boot menu. I think I am lacking some understanding of how
GRUB verifies the signatures of the kernel image that it loads--I
thought that it would compare the signature to the db key from the
EFI variables, but that doesn't seem to work.

Here are the troubleshooting steps I have tried:

- running update-grub and update-initramfs: no change
- removing the extra signature on the kernel images (in my initial
  configuration, they had been signed by both my and Debian's key):
  no change

What am I missing here?

Thank you,
Scott Colby

reply via email to

[Prev in Thread] Current Thread [Next in Thread]