Re: Verify the signature of OSes (for SB)

[Federico Angelilli]

Hello,
Thanks for responding.

I am quite sure I am not using a shim lock at all. I simply signed with the 
uefi key the grub image. How would I go about installing a shim? And is it 
necessary?

Thanks,
Federico

Ps: I followed a guide on gentoo's wiki

On November 22, 2023 12:23:07 AM GMT+01:00, Adam Vodopjan 
<adam.vodopjan@gmail.com> wrote:
>
>On 22/11/2023 00:25, Federico Angelilli wrote:
>> Hello,
>> A few months ago I decided to turn on secure boot on my dual os desktop, 
>> mainly due to some SB related shenanigans in Windows 11.
>> After a (fairly long) session of trial and error, I finally got everything 
>> to work like this:
>> 1) Whenever my kernel is built (I'm using a custom kernel) sign it with the 
>> right SB key
>> 2) When updating grub, sign it with the SB key as well
>>
>> Everything now works: I can boot with SB enabled to grub, then I can either 
>> choose to use the linux signed kernel or the windows chainloader.
>> Except for a small detail: I can boot even from the unsigned kernels. While 
>> I first thought of it as an error on my configuration, I turned out to
>> be a shortcoming in grub itself (as far as I understand), that simply cannot 
>> verify sb signatures on its own.
>
>
>Have you got shim installed? IIRC grub uses some shim's service to verify 
>kernels. So under SB you should boot into shim, not into grub directly.
>
>
>There is also the --disable-shim-lock option in grub-mkimage. Mby that's your 
>case.
>
>
>>
>> So, how can I set up grub in a way that I can:
>> 1) boot with secure boot enable to the grub menu
>> 2) only boot from entries that are signed themselves
>>
>> Thanks,
>> Federico
>>
>>