Custom PXE Centos 7 Secureboot MOK is not validated

[JeanOtis]

Hi,

I am trying to get shim working with PXE by building it myself and inserting the key during the build process. However my MOK is never used in checking subsequent boot components such as grub or the kernel. Secureboot is on and the DB keys are used to validate grub and the kernel. I checked this by removing the keys with sbsigntools, whilst trying to load grub it gave me an error, as is correct. Then for testing I tried to remove the MOK key signature from grub and the kernel and shim allowed booting. My build process is as follows:

make clean
cp ${MOK_KEY_LOC} ./pub.cer
make VENDOR_CERT_FILE=pub.cer
make ENABLE_SBSIGN=1 TOPDIR=. EFIDIR=. DESTDIR=/var/lib/tftpboot \
          DEFAULT_LOADER=\\\\grubx64.efi install

I tried many varients of the last line basically trying all variables outlined in the BUILDING file.

I'm using the shim-15 release and grub-2.02-90.

Thanks in advance

[vathpela]

Can you try this with https://github.com/rhboot/shim/tree/shim-15.2 or https://github.com/rhboot/shim/tree/shim-15.3 instead? There have been several issues already fixed that are similar to this, so my suspicion is this should work with a newer branch.