Join Log in
Score:0
Albert avatar Ubuntu

Can't boot with secure boot and with the kernel signed

us flag
Albert

I want to use Secure Boot with my own keys and with the kernels that I sign. I have gotten Grub to boot, but not with the signed kernel. I get this: "Error: /vmlinuz-5.4.0.91-generic has invalid signature" message.

This is what I have done:

mkdir keys
cd keys

efi-readvar -v dbx -o dbx.esl

# (reboot and clear default secureboot keys in the firmware config)

export myuuid=e9ffcff5-9186-4da1-ae89-654000af85eb

# create keys
openssl req -subj "/CN=SecBoot PK cert/"  -new -x509 -newkey rsa:2048 -nodes -days 730 -outform PEM -keyout "PK.key"  -out "PK.pem"
openssl req -subj "/CN=SecBoot KEK cert/" -new -x509 -newkey rsa:2048 -nodes -days 730 -outform PEM -keyout "KEK.key" -out "KEK.pem"
openssl req -subj "/CN=SecBoot db cert/"  -new -x509 -newkey rsa:2048 -nodes -days 730 -outform PEM -keyout "db.key"  -out "db.pem"

cert-to-efi-sig-list -g "$myuuid" PK.pem  PK.esl
cert-to-efi-sig-list -g "$myuuid" KEK.pem KEK.esl
cert-to-efi-sig-list -g "$myuuid" db.pem  db.esl

#sign keys
sign-efi-sig-list -g "$myuuid" -c PK.pem  -k PK.key  PK  PK.esl  PK.auth
sign-efi-sig-list -g "$myuuid" -c PK.pem  -k PK.key  KEK KEK.esl KEK.auth
sign-efi-sig-list -g "$myuuid" -c KEK.pem -k KEK.key db  db.esl  db.auth
sign-efi-sig-list -g "$myuuid" -c KEK.pem -k KEK.key dbx dbx.esl dbx.auth

# add keys in firmware
efi-updatevar -k PK.key  -g "$myuuid" -f PK.auth  PK
efi-updatevar -k PK.key  -g "$myuuid" -f KEK.auth KEK
efi-updatevar -k KEK.key -g "$myuuid" -f db.auth  db
efi-updatevar -k KEK.key -g "$myuuid" -f dbx.auth dbx

# remove current signature (optional, i tried removing and not removing)
sbattach --remove /boot/efi/EFI/BOOT/BOOTX64.EFI
sbattach --remove /boot/efi/EFI/ubuntu/grubx64.efi
sbattach --remove /boot/vmlinuz-5.4.0.91-generic

# sign binaries
sbsign --key db.key --cert db.pem --output /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/BOOTX64.EFI
sbsign --key db.key --cert db.pem --output /boot/efi/EFI/ubuntu/grubx64.efi /boot/efi/EFI/ubuntu/grubx64.efi
sbsign --key db.key --cert db.pem --output /boot/vmlinuz-5.4.0.91-generic /boot/vmlinuz-5.4.0.91-generic

Note 1: If possible, I don't want to use mok, because it requires a reboot and I'm trying to install using an unattended script.

Note 2: I have tried using shim-signed and booting works, but it boots even though I don't sign the kernel, so I don't consider it safe as it boots with any kernel.

EDIT: I use Ubuntu 20.04.3

113
0 + 0
Score:0
avatar Ubuntu
jp flag
pano_peti

Setting PK will change mode to user mode. You should add it last.

efi-updatevar -a -k PK.key  -g "$myuuid" -c KEK.crt KEK
efi-updatevar -a -k KEK.key -g "$myuuid" -c DB.crt db
efi-updatevar -f PK.auth PK
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.