Closed L12C closed 10 months ago
sbctl
only checks your EFI system partition, which is probably mounted too /efi
. /boot
containing EFI files you are using to boot is a wart that relies on grubs ability to read different filesystems beyond FAT32.
I'm probably not going to add support to check directories beyond the ESP.
If there isn't anything else I'll close this :)
After installing Arch according to https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB) and using
--modules="tpm" --disable-shim-lock
with thegrub-install
command (as instructed in the arch wiki article for GRUB),sbctl verify
only initially listed/efi/EFI/GRUB/grubx64.efi
as needing signing. Without knowing too much of the inner workings, I assume this is a guess at which files need to be signed for the system to boot, but after completing the installation with only that file signed, I could boot GRUB in secure boot mode, but gotYou need to load the kernel first
when trying to continue past it. From several threads I gathered that/boot/vmlinuz-linux
likely needed to be signed as well, and doing so fixed the boot issue, but I wonder whysbctl verify
didn't include it from the beginning.