As the title suggests, I'm trying to set up a system that uses PXE boot to boot into CentOS7 with custom signing keys. This process is adapted from several guides but the gist of it is that I use grub to load a grub.cfg
, linux kernel and initramfs.gz
(which contains the filesystem) from a tftpserver
. These are verified with GPG signatures.
However then I got the error that my linux kernel is not signed correctly, while it is signed with my own db key for secure boot. The key should be installed correctly in UEFI, as the grub
EFI binary is also signed and should also be verified by secureboot. Furthermore, I've also checked whether the GPG verification succeeded with the grub
command line, which it did.
After this, I read some articles online and came to the conclusion that I should use shim as a first stage bootloader (and also sign that with the same DB key). So copied it from a Centos vm and pointed the DHCP server to shim. The issue persists as it gives the same error message, but now it also gives a location:
error: ../../grub-core/loader/i386/efi/linux.c:215:/vmlinuz has invalid signature.
I can't seem to find the file which is responsible in grub, as it is probably a different version. My search led me to this redhat article.
However the article is behind a paywall......I'm not asking access to the article (I'm not sure whether it is allowed) as it may be a completely different problem. I also tried to build shim
on my own, providing the DER encrypted key during the build process, but that seems to change nothing.
I'm also new to shim
and I'm not sure whether the usage of the machine operator key (MOK) is mandatatory, or whether it is sufficient to just sign it with the DB key.
Does any of you have any pointers for me? Thank you