[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: public key not being added to store

From: Andrei Borzenkov
Subject: Re: public key not being added to store
Date: Sat, 13 Aug 2022 09:33:14 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0

On 12.08.2022 19:27, Akshath Hegde wrote:
> Hi,
> I'm trying to bring up ubuntu on qemu with secure boot enabled. I have
> registered PK, KEK and db, and enabled secure boot option.
> In the initial grub.cfg file under ESP, I have set check_signatures to
> enforce. This file is signed by my gpg key. After this I'm creating a grub
> image with --pubkey option set to gpg key 

It all is rather vague. There are private and public keys and it is
unclear what you used. What file format "gpg key" has etc.

> file and modules containing  "
> pgp verifiers gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa"

Never describe what you did. Always copy and paste exact commands with
full output.

> The created grubx64.efi, vmlinuz  are signed with db key and all the grub
> modules, the second grub cfg file, vmlinuz and initrd  are signed with my
> gpg key
> But with this the image fails to boot. In the grub console, I see
> list_trusted is empty.

This implies that whatever you used as "gpg key" is not recognized as
valid GPG public key by grub. Can you load the same file manually on
grub command line?

> But in the grub image hexdump I see the key is
> present and pgp has been included in the modules while creating the image.
> On the console, insmod gpg doesn't seem to change this either as trusted
> list is still empty. I have set debug to loader,verify, but don't see any

"insmod gpg" after core.img was loaded does not add any keys. You have
to do it manually with "trust" command.

> messages coming up.
> Any help in debugging further  would be appreciated
> Thanks
> Akshath

reply via email to

[Prev in Thread] Current Thread [Next in Thread]