Open TimoVerbrugghe opened 5 days ago
Dump of PK, KEK & db files from /sys/firmware/efi/efivars/... at the request of @RaitoBezarius
PK: https://pastebin.com/e1q6NPU7 db: https://pastebin.com/LayiAD4V KEK: https://pastebin.com/Tgs6RFz3
For additional context, just tried by manually adding Preloader.efi & HashTool.efi to my boot partition, copying systemd-bootx64.efi to loader.efi and then adding the hashes using HashTool.efi
This only worked when I added both the hashes of loader.efi & the hash of initrd in /boot/EFI/nixos/initrd... so I could boot. This did work and I can boot with secureboot into nixos this way (however I would have to readd every nixos generation I build using HashTool.efi this way)
I believe lanzaboote creates efi stubs in /boot/EFI/Linux which include a hash of the initrd efi file, but don't know if there is something wrong going on there?
Big thanks already for all the work done here :).
My setup:
Currently able to load bootloader in secure boot, but not able to boot any generation that I select (the auto detected windows 11 entry does boot). If I select a nixos generation, screen goes black for a few seconds, then the boot menu comes up again.
Information below, anything else you want me to add in terms of logs?
Steps I've taken:
Installed sbctl & lanzaboote using flake config
Created secure boot keys
sbctl verify confirms that generations are signed
According to instructions, you then need to enable secureboot first before enrolling the keys. I tried this and enabled secureboot in surface uefi but then linux bootloader did not load at all, it went directly to windows boot manager (I checked the boot order to confirm linux boot manager is first).
Rebooted with secure boot disabled and enrolled the keys
This enables secure boot because after enrolling the keys and booting directly in the surface uefi, it says that secure boot is enabled with "custom key configuration" (an option you can't select directly from the UEFI menu)
Bootloader now shows up in secure boot, but no generations can boot.
Bootctl status output: