Re: Difficulty Enabling Secure Boot with Custom Keys

[Andrei Borzenkov]

07.10.2020 18:26, Scott Colby пишет:
> Hello,
> 
> I am trying to enable secure boot with GRUB on the latest Debian
> 10 with custom secure boot keys. Unfortunately, I am receiving an
> error from GRUB: "error: /vmlinuz-4.19.0-11-amd64 has invalid
> signature".
> 
> Here are the steps that I have taken:
> 
> - generated 3 keys for the PK, KEK, and db key
> - added those to my system's firmware
> - signed ESP/EFI/debian/grubx64.efi with the db key
> - signed /boot/vmlinuz-4.19.0-1{0,1}-amd64 with the db key
> - enabled secure boot
> 

The only string "invalid signature" I can find in upstream sources is in
chainloader, so it looks like your distribution adds patches in which
case you are better off asking your distribution support channels.

> My system firmware happily loads the signed grubx64.efi and takes
> me to the boot menu. I think I am lacking some understanding of how
> GRUB verifies the signatures of the kernel image that it loads--I
> thought that it would compare the signature to the db key from the
> EFI variables, but that doesn't seem to work.
> 
> Here are the troubleshooting steps I have tried:
> 
> - running update-grub and update-initramfs: no change
> - removing the extra signature on the kernel images (in my initial
>   configuration, they had been signed by both my and Debian's key):
>   no change
> 
> What am I missing here?
> 

grub itself does not verify anything at all (unless again it was patched
by your distribution). It calls into shim which must be loaded before
grub itself. Also if you are using current upstream version, you must
load shim_lock module; until recently grub did not have any secure boot
support at all and was patched by distributions to call shim as part of
loading kernel.