Hi Lukasz, I am having some problems to get that custom grub running with Secure Boot. I am using an Hyper-V VM with Fedora 33 to test this, after having to reinstall the OS twice in my NUC. I guess the end result will be the same in the VM and the NUC without TXT support.
My build instructions for grub are represented in the following Dockerfile: FROM fedora:33 RUN dnf install -y git autoconf automake gettext-devel bison \ findutils pkgconf-pkg-config python-unversioned-command \ patch git-merge-changelog gcc flex RUN git clone https://git.savannah.gnu.org/git/grub.git WORKDIR grub RUN ./bootstrap && ./configure --with-platform=efi --target=x86_64 && make Then, the process I follow to install it in my VM are: grub-install --efi-directory=/boot/efi /usr/local/sbin/grub-mkconfig -o /boot/grub/grub.cfg After this, if I disable secure boot on the VM, my custom grub (in /boot/efi/EFI/grub/grubx64.efi) gets called in the boot chain. But if I enable secure boot, the default fedora bootloader is called (/boot/efi/EFI/fedora/grubx64.efi) To sign my custom grub, I am using the following (I know that it works for kernels, not sure for grub): dnf install -y sbsigntools cat > openssl.cnf << EOF [ req ] distinguished_name = req_distinguished_name x509_extensions = v3 string_mask = utf8only prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = OR localityName = Hillsboro 0.organizationName = Organization commonName = Secure Boot Signing emailAddress = secureb...@test.com [ v3 ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical,CA:FALSE extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 nsComment = "OpenSSL Generated Certificate" EOF openssl req -config ./openssl.cnf \ -new -x509 -newkey rsa:2048 \ -nodes -days 3650 -outform DER \ -keyout MOK.key \ -out MOK.der openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem sbsign --key MOK.key --cert MOK.pem \ --output ./grubx64.efi /boot/efi/EFI/grub/grubx64.efi cp ./grubx64.efi /boot/efi/EFI/grub/grubx64.efi mokutil --import MOK.der After the reboot, I do Mok Management to import the key. But the system keeps booting with the /boot/efi/EFI/grub/grubx64.efi Instead of my custom one. Just to see what happens, I replaced the fedora bootloader with my custom one, and I got the following error: error: verification requested but nobody cares: (hd0,gpt2)/grub/x86_64-efi/normal.mod Entering rescue mode grub rescue> Any hints on what is happening? _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel