Closed jsommr closed 2 months ago
Got it. There seem to be a special case for hash-enrolled stuff. Creating the image with ukify worked - almost - like a charm. Now I just need to deal with the warning: "Overlapping PE sections detected. Boot may fail due to image memory corruption!".
Edit: And that was solved by using the latest linuxx64.efi.stub. Now everything works!
I can boot the system if I enroll the hash of my efi stub (selecting GRUBX64.EFI), but shim says the system is compromised when i enroll its certificate.
Error message on boot:
Version: shim-15.8-3 extracted from Fedora rpm.
Compiling Linux 6.9.7 (Buildroot) with EFI_STUB=y. Outputs bzImage.
Adding SBAT using script from https://github.com/rhboot/shim/issues/376#issuecomment-1628004034:
pe-add-sections.py -s .sbat sbat.csv -z .sbat -i bzImage -o bzImage.sbat
where sbat.csv:Signing:
Then using genimage (https://github.com/pengutronix/genimage) to create img:
I have verified that GRUBX64.EFI isn't changed by genimage with
sbverify --cert mok.pem GRUBX64.EFI
Tested by writing to USB (dd ...) and booting on Surface Go 2, and in the following vm, with the same results:
I have tried signing with pesign, but it didn't make a difference:
What am I doing wrong?