Re: Verify the signature of OSes (for SB)

[Adam Vodopjan]

There is a dedicated page in the wiki

https://wiki.gentoo.org/wiki/Shim


On 22/11/2023 07:06, Federico Angelilli wrote:
> Hello,
> Thanks for responding.
>
> I am quite sure I am not using a shim lock at all. I simply signed with the 
> uefi key the grub image. How would I go about installing a shim? And is it 
> necessary?
>
> Thanks,
> Federico
>
> Ps: I followed a guide on gentoo's wiki
>
>
> On November 22, 2023 12:23:07 AM GMT+01:00, Adam Vodopjan 
> <adam.vodopjan@gmail.com> wrote:
>
>     On 22/11/2023 00:25, Federico Angelilli wrote:
>
>         Hello, A few months ago I decided to turn on secure boot on my dual 
> os desktop, mainly due to some SB related shenanigans in Windows 11. After a 
> (fairly long) session of trial and error, I finally got everything to work 
> like this: 1) Whenever my kernel is built (I'm using a custom kernel) sign it 
> with the right SB key 2) When updating grub, sign it with the SB key as well 
> Everything now works: I can boot with SB enabled to grub, then I can either 
> choose to use the linux signed kernel or the windows chainloader. Except for 
> a small detail: I can boot even from the unsigned kernels. While I first 
> thought of it as an error on my configuration, I turned out to be a 
> shortcoming in grub itself (as far as I understand), that simply cannot 
> verify sb signatures on its own. 
>
>     Have you got shim installed? IIRC grub uses some shim's service to verify 
> kernels. So under SB you should boot into shim, not into grub directly. There 
> is also the --disable-shim-lock option in grub-mkimage. Mby that's your case.
>
>         So, how can I set up grub in a way that I can: 1) boot with secure 
> boot enable to the grub menu 2) only boot from entries that are signed 
> themselves Thanks, Federico 
>