Closed crempel-redhat closed 9 months ago
aronowski
commented
10 months ago If shim cannot accommodate more than one certificate, I guess the alternative is to build with my certificate and then sign everything?
Why not enroll a CA certificate to MokList instead?
I've described the process in the context of AlmaLinux ELevate here. Try it, see if it does the job well for you.
crempel-redhat
commented
10 months ago Thanks, and sorry, I neglected to mention that my use case does not permit modification of the MOK list. But otherwise, yes, that would work.
mikebeaton
commented
10 months ago I believe you would need VENDOR_DB_FILE instead of VENDOR_CERT_FILE (can only use one or the other, not both).
crempel-redhat
commented
10 months ago Thanks Mike! I was not aware of VENDOR_DB_FILE but it does indeed look like what I need along with certutil. I haven't been able to find a definitive guide so I'm slowly piecing the puzzle together.
mikebeaton
commented
9 months ago Can close this issue I guess? (Maybe with separate one requesting more documentation...?? ;-) )
crempel-redhat
commented
9 months ago Apologies for the delay, yes, I'll close it :-)
I'm trying to understand if this is even possible. Looking at shim.c it would appear that only a single certificate (i.e. make VENDOR_CERTFILE=pub.cer) can be embedded, however, the shim-review repo README.md implies that more than one certificate can be used: "add any additional binaries/certificates/SHA256 hashes that may be needed"_
What I would like to be able to do is keep the existing Fedora certificate for validating kernel and modules but also have my own embedded certificate to validate a customized GRUB image as opposed to adding it to db (i.e. wide distribution, not just my system).
Or perhaps I'm interpreting the README.md wording incorrectly. If shim cannot accommodate more than one certificate, I guess the alternative is to build with my certificate and then sign everything?