On Tue, 1 Oct 2019 at 13:18, Mick <michaelkintz...@gmail.com> wrote: > When using Secure Boot the UEFI firmware check the binaries to be > loaded have been signed by Microsoft. The 'SHA256 verified' message > indicates the systemd-boot binary is signed using a key which is > ultimately signed by Microsoft and is contained in the whitelist > (MokList). If the verification failed I think it would spit something > back to allow you to enrol a valid hash or key.
Scratch that - the message itself is a debug message following an early SHA-256 implementation self-test[1] before the systemd provided random seed file is loaded. All the Secure Boot signature checks that follow will utilise the random seed file systemd provides. [1] https://github.com/systemd/systemd/blob/4c858c6fd5d588b30d9851bb576520e74b041739/src/boot/efi/random-seed.c#L172 -- Regards, Mick
