Secure Boot Issues



I've been trying to get secure boot to work with Linux, specifically adding my own PK, KEK, and DB certificates, and it seems to me that this is not working as it should.

When booting Linux (with secure boot still disabled), I can see the installed certificates with efi-readvar (or mokutil --pk, etc.), and this shows my own certificates I installed.

However, when trying to validate EFI files with sbverify, those certificates seem to be ignored. Specifically, I have added the UEFI certificate from Debian, but the Grub bootloader from Debian, signed with that very certificate, still cannot be verified, with sbverify giving me an error message Signature verification failed. I can even extract the certificate from the EFI vars, save it to a file, and then feed it to sbverify --cert <cert file> <EFI file> in which case the validation succeeds, indicating that the certificate is indeed correct.

Another data point that this is not working as intended is that if I use sbverify on the SHIM, which is signed by Microsoft, the validation succeeds, even though the DB list only contains my custom DB certificate, so the validation should not succeed.

So, generally, it seems that the list of certificates shown in the EFI vars, and what is actually used by sbverify does not correspond, and seems to fall back on some standard certificates, from what I can tell.

However, I am relatively new to this, so I might still have made a mistake somewhere, but after spending several hours tracking down the problem, it still seems to me that what I've set up should work...

Any help would be greatly appreciated.





Privacy Policy