1

I'm trying to setup secure boot with using custom keys exclusively following the guide from rodsbooks. I created and enrolled keys for db, KEK and PK and signed grub and the kernel image accordingly (with the same db key) and could verify the signature with sbverify against the created db key.

If I turn on Secure Boot it fails to verify the signature for the kernel image:

"/boot/vmlinuz... has invalid signature"

What I figured out so far:

  • The signature for grub is working. If I remove it, I'll get a different error (the red box)
  • using different keys for grub and kernel image has the same result (I would also expect that it's ok to use the same key)
  • Signing the kernel with sbsign or osslsigncode (like this question) makes no difference, same result
  • bootctl status only shows grub as bootloader
  • I did not change the name of the kernel image. I would expect there is not change in grub necessary
  • MokManager (i.e. mmx64.efi) is present (but shouldn't make a difference here?)

Kernel is version 4.19.0-6; Distribution is Debian 10, if that matters.

Improve this question
3
  • Are you able to start the kernel image directly from EFI? (For example, by adding it as a bootloader via efibootmgr, or by starting it from EFI Shell?)
    – grawity_u1686
    Commented Aug 12, 2020 at 14:11
  • How does that make a difference?
    – fiscblog
    Commented Aug 12, 2020 at 14:56
  • I don't know Debian, but is it possible that you're signing a different vmlinuz... than grub is trying to boot? Is /boot/vmlinuz a symlink to somewhere else, as a part of package management for instance?
    – rfmodulator
    Commented Aug 18, 2021 at 18:53

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .