I made one with a secure boot certificate, but it cannot be loaded under secure boot.

rhboot / shim

UEFI shim loader

Other

816 stars 284 forks source link

I made one with a secure boot certificate, but it cannot be loaded under secure boot. #589

Open 1457384613gh opened 11 months ago

1457384613gh commented 11 months ago

make VENDOR_CERT_FILE=microsoft-uefica-public.cer DEFAULT_LOADER=PreLoader.efi

Then I got a shimx64.efi. It loads PreLoader.efi as default instead of grubx64,efi.

However, it cannot be loaded under secure boot.

What I did is wrong? Is there something that I haven't done?

dennis-tseng99 commented 11 months ago

Hi, did you have correctly sign your PreLoader.efi like grubx64.efi ? Or did you correctly enroll key ? If you trace codes, it might get failed in :

init_grub() -> start_image() -> handle_image() -> verify_buffer() -> verify_buffer_authenticode()

1457384613gh commented 11 months ago

I copy mmx64.efi there, too.

The shimx64.efi I've made, cannot be loaded by UEFI firmware.

It won't load signed mmx64.efi.

dennis-tseng99 commented 11 months ago

The shimx64.efi I've made, cannot be loaded by UEFI firmware.

Please check whether your firmware has the corresponding public key, for example Microsoft key, can verify your shimx64.efi during the chainload. Thanks.

1457384613gh commented 11 months ago

Are you from Taiwan? May I speak zh_TW to you? Which chat app do you use? May I add you? I don't want to chat here.

15058718379 commented 11 months ago

This sounds like a failed BIOS check shim.You can disable secure boot to confirm that shim validation has failed. Alternatively, run the ’pesign -S -i shimx64.efi’ to check the signature of the shim and check whether the corresponding public key exists in the BIOS. If you can load shim, you can open the log using ‘mokutil --set-verbosity true’.