On Thu, Jun 20, 2024 at 3:57 PM Jeffrey Walton <noloa...@gmail.com> wrote: > > On Thu, Jun 20, 2024 at 9:23 AM Bhasker C V <bhas...@unixindia.com> wrote: > > > > I generated a pr/pk pair and the kernel is signed. Placed them in the > > kernel tree and compiled the kernel. > > I don't think you are supposed to check-in/compile-in the private key. > It is usually supposed to stay private. > > > Could someone tell me what am I doing wrong please ? > > > > Below is the status (I am using loader.efi from linuxfoundation) > > When i boot debian stock kernel signed, i see that the secure boot > > gets enabled (hence bios and everything else seems to be fine with the > > same UEFI loader). > > However, when I boot the compiled kernel I get > > > > $ dmesg | grep -i secure > > [ 0.007085] Secure boot could not be determined > > > > > > $ sbverify --list bootx64.efi > > warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections? > > signature 1 > > image signature issuers: > > - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft > > Corporation UEFI CA 2011 > > image signature certificates: > > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > > Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher > > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > > Corporation/CN=Microsoft Corporation UEFI CA 2011 > > - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft > > Corporation/CN=Microsoft Corporation UEFI CA 2011 > > issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft > > Corporation/CN=Microsoft Corporation Third Party Marketplace Root > > $ sbverify --list ./loader.efi > > signature 1 > > image signature issuers: > > - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > > image signature certificates: > > - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > > issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > > $ sbverify --list ../../linux/k.bcv > > signature 1 > > image signature issuers: > > - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > > image signature certificates: > > - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > > issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv > > > Have a look at <https://wiki.debian.org/SecureBoot>, and the use of > the Machine Owner Key (MOK).
Thanks Jeff. I did follow this. Like I had mentioned before, the stock kernel still works in locked-down mode with secure boot whereas the kernel I have compiled and signed does not. Is there a way to debug this on why exactly does this not work ? > > Jeff