rhboot / shim

UEFI shim loader
Other
872 stars 293 forks source link

I made one with a secure boot certificate, but it cannot be loaded under secure boot. #589

Open 1457384613gh opened 1 year ago

1457384613gh commented 1 year ago

make VENDOR_CERT_FILE=microsoft-uefica-public.cer DEFAULT_LOADER=PreLoader.efi

Then I got a shimx64.efi. It loads PreLoader.efi as default instead of grubx64,efi.

However, it cannot be loaded under secure boot.

What I did is wrong? Is there something that I haven't done?

dennis-tseng99 commented 1 year ago

Hi, did you have correctly sign your PreLoader.efi like grubx64.efi ? Or did you correctly enroll key ? If you trace codes, it might get failed in :

init_grub() -> start_image() -> handle_image() -> verify_buffer() -> verify_buffer_authenticode()
1457384613gh commented 1 year ago

I copy mmx64.efi there, too.

The shimx64.efi I've made, cannot be loaded by UEFI firmware.

It won't load signed mmx64.efi.

dennis-tseng99 commented 1 year ago

The shimx64.efi I've made, cannot be loaded by UEFI firmware.

Please check whether your firmware has the corresponding public key, for example Microsoft key, can verify your shimx64.efi during the chainload. Thanks.

1457384613gh commented 1 year ago

Are you from Taiwan? May I speak zh_TW to you? Which chat app do you use? May I add you? I don't want to chat here.

15058718379 commented 1 year ago

This sounds like a failed BIOS check shim.You can disable secure boot to confirm that shim validation has failed. Alternatively, run the ’pesign -S -i shimx64.efi’ to check the signature of the shim and check whether the corresponding public key exists in the BIOS. If you can load shim, you can open the log using ‘mokutil --set-verbosity true’.