I'm running ubuntu with Secure Boot on. Everything works fine when I use a kernel that comes packaged from cannonical. Still, I have issues running a self-signed kernel. I'm pretty sure my signature with MOK key is OK (verification below), but still when I try to boot the kernel from grub, after selecting the correct entry, I get an error that reads "Loading ... error: bad shim signature." I'm wrapping my head around it and can't find a solution. Why, even though both kernels are signed with MOK keys, one of them works and the other doesn't?
Verification:
root@T495:~# sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem /boot/vmlinuz
Image was already signed; adding additional signature
root@T495:~# sbverify --list /boot/vmlinuz
signature 1
image signature issuers:
- /C=PL/ST=Poznan/L=Poznan/O=none/CN=Secure Boot Signing/[email protected]
image signature certificates:
- subject: /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot Signing/[email protected]
issuer: /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot Signing/[email protected]
signature 2
image signature issuers:
- /CN=ubuntu Secure Boot Module Signature key
image signature certificates:
- subject: /CN=ubuntu Secure Boot Module Signature key
issuer: /CN=ubuntu Secure Boot Module Signature key
and
root@T495:~# openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -fingerprint -noout
SHA1 Fingerprint=81:A2:93:CB:06:6F:52:BA:D9:E2:39:68:9D:FA:E2:2B:0C:95:3C:F7
root@T495:~# mokutil --list-enrolled | grep "81:a2:93"
SHA1 Fingerprint: 81:a2:93:cb:06:6f:52:ba:d9:e2:39:68:9d:fa:e2:2b:0c:95:3c:f7
I have no idea what is going on :|
mokutil --db
should show you a list of carious certs, of which Ubuntu's shim cert and your own cert have to be loaded, one for the shim, the other for the kernel.