Hello, I'm trying to create signed images with Systemd mkosi and need some general help understanding how to implement it. If this is not the correct forum for questions regarding mkosi then I appolgize and humbly ask for directions to the correct forum :-)
My steps: Host: Ubuntu 20.04 mkosi 13 Target: Ubuntu 22.04 1. Build image without SecureBoot. 2. Create custom PK,KEK and db. 3. convert keys and certs to EFI format (auth & esl) 4. Update UEFI Firmware 5. Sign my image with db.key and db.crt 6. active Secure boot This image boots fine with Secure Boot. Next I created another image without any SecureBoot options. Signed bootloader with only db.key and db.crt and activated Secure Boot. The image boots with Secure Boot. Next I want to create a signed image: Add to mkosi.default SecureBoot=yes SecureBootKey=/work/mkosi_fork/mkosi/test_keys/db.key SecureBootCertificate=/work/mkosi_fork/mkosi/test_keys/db.crt Output from build showing correct binaries are getting signed: https://pastebin.com/96YTeJSr When I boot the image with Secure Boot enabled I get this error: *Error loading \xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\5.15.0-53-generic\linux: Access denied * *Failed to execute Ubuntu 22.04 LTS (/xxxxxxxxxxxxxxxx/5.15.0.53-generic/linux access denied* Which I don't understand. I re-created a new image with the wrong key and got the expected "Wrong Key" But my initial error suggests that the image is signed correctly (which I can verify that it is) but that there is something else it is trying to do. I noticed that when I manually signed the binaries the key was added to /boot/efi/db but not when built with mkosi. The sbsign section in __init__.py is the same as when I did it manually. If anyone has any idea on how to proceed i would be very thankful. Best Regards, Willie
