I am writing my own OS loader (Boot Loader) in UEFI. The OS Loader is Microsoft Signed so it can run under secure-boot. The OS Loader will be able to load Windows or Linux Kernel based on User's Selection (Something similar to GRUB) Since I have built Linux Kernel as EFI Stub, I can load it from my OS Loader.
However, I have a specific requirement. I will be self-signing the Linux Kernel.
How do I establish chain of trust to make sure that I am loading my own self-signed Linux Kernel and not some other unsigned kernel?
Edited on 21-Jan-2022 after working on suggestions from telcoM
Continuing from the answer from telcoM, I downloaded SHIM source from https://github.com/rhboot/shim
I also created PKI keys following
https://www.rodsbooks.com/efi-bootloaders/secureboot.html#initial_shim
$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 3650 -subj "/CN=Your Name/"
$ openssl x509 -in MOK.crt -out MOK.cer -outform DER
Built SHIM source using
make VENDOR_CERT_FILE=MOK.cer
Signed my kernel.efi with MOK.key to get signed grubx64.efi (This is because DEFAULT LOADER in SHIM is grubx64.efi. I just went ahead with defaults)
sbsign --key MOK.key --cert MOK.crt --output grubx64.efi kernel.efi
Finally, used shimx64.efi as loader.efi (using PreLoader https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/) because at present I don't have shimx64.efi signed by Microsoft. In addition, mmx64.efi and fbx64.efi are also enrolled through HashTool.efi along with shimx64.efi (loader.efi)
Here is the flow.
PreLoader.efi --> loader.efi(shimx64.efi) --> grubx64.efi(kernel.efi)
With SecureBoot disabled, everything works fine and I am able to boot Linux Kernel.
However, with SecureBoot enabled, I am not able to start grubx64.efi image.
Further updates
I figured out that I should have used MokManager (mmx64.efi) to enroll MOK.cer. Tried using mmx64.efi and enrolled MOK.cer. However, it looks like the Key is not registered successfully.
Am I missing anything?