Metabolix
commented
7 months ago As explained in shim.md, you don't need to use any certificate at all, if you enroll the executable by hash (not by certificate). It doesn't matter who signed the file, if you only trust the hash.
Using your own certificate is of course possible, but you don't really gain much, since you will still need to enroll something (either the hash or the certificate). The main difference is that if you ever need to upgrade HackBGRT, the hash needs to be enrolled again but if you have enrolled the certificate you can avoid this step.
Enrolling the certificate directly into firmware is often complex, but that's an option where you can avoid using shim.
The Makefile has Linux commands for creating a certificate and signing the executables. I'm sure the tools have documentation for using an existing certificate. If you need to do the signing on Windows, check SignTool.exe.
Thanks to your solution, both my laptop and desktop can now display my company's logo upon boot.
After reading the contents of shim.md, I understand that its relies on the trusted status of shim. Therefore, my question is, given that your BGRT use a self-signed certificate “HackBGRT Secure Boot Signer” , may I inquire whether I can replace it with my own self-signed certificate? My company have a self-signed root certificate, and I am curious if I can utilize the MOK to trust the self-signed root certificate, subsequently signing EFI files with certificates issued by this root certificate.
My aspiration is to exclusively use my certificate to sign BGRT while simultaneously utilizing your provided setup.exe to execute file additions. is this feasible? I actually know very little about UEFI secure boot
Thank you once again