I'm trying to setup secure boot with using custom keys exclusively following the guide from rodsbooks. I created and enrolled keys for db, KEK and PK and signed grub and the kernel image accordingly (with the same db key) and could verify the signature with sbverify
against the created db key.
If I turn on Secure Boot it fails to verify the signature for the kernel image:
"/boot/vmlinuz... has invalid signature"
What I figured out so far:
- The signature for grub is working. If I remove it, I'll get a different error (the red box)
- using different keys for grub and kernel image has the same result (I would also expect that it's ok to use the same key)
- Signing the kernel with
sbsign
orosslsigncode
(like this question) makes no difference, same result bootctl
status only shows grub as bootloader- I did not change the name of the kernel image. I would expect there is not change in grub necessary
- MokManager (i.e. mmx64.efi) is present (but shouldn't make a difference here?)
Kernel is version 4.19.0-6; Distribution is Debian 10, if that matters.
vmlinuz...
thangrub
is trying to boot? Is/boot/vmlinuz
a symlink to somewhere else, as a part of package management for instance?