On Thu, Jun 20, 2024 at 9:23 AM Bhasker C V <bhas...@unixindia.com> wrote: > > I generated a pr/pk pair and the kernel is signed. Placed them in the > kernel tree and compiled the kernel.
I don't think you are supposed to check-in/compile-in the private key. It is usually supposed to stay private. > Could someone tell me what am I doing wrong please ? > > Below is the status (I am using loader.efi from linuxfoundation) > When i boot debian stock kernel signed, i see that the secure boot > gets enabled (hence bios and everything else seems to be fine with the > same UEFI loader). > However, when I boot the compiled kernel I get > > $ dmesg | grep -i secure > [ 0.007085] Secure boot could not be determined > > > $ sbverify --list bootx64.efi > warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections? > signature 1 > image signature issuers: > - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft > Corporation UEFI CA 2011 > image signature certificates: > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > Corporation/CN=Microsoft Corporation UEFI CA 2011 > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > Corporation/CN=Microsoft Corporation UEFI CA 2011 > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > Corporation/CN=Microsoft Corporation Third Party Marketplace Root > $ sbverify --list ./loader.efi > signature 1 > image signature issuers: > - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > image signature certificates: > - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > $ sbverify --list ../../linux/k.bcv > signature 1 > image signature issuers: > - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > image signature certificates: > - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv Have a look at <https://wiki.debian.org/SecureBoot>, and the use of the Machine Owner Key (MOK). Jeff
