grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Can't find a solution to a failed secure boot kernel loading


From: Łukasz Piątkowski
Subject: Can't find a solution to a failed secure boot kernel loading
Date: Tue, 10 May 2022 12:28:44 +0200

Hi everyone - I'm new here!

Sorry for going with my problem directly to the grub-devel maling list, but I'm pretty sure my problem is GRUB related. Still, I've spent some hours trying to find a solution on the Internet and I failed :( So, here it comes - if anyone has time to explain my problem to a layman, it would be awesome. Even better, if you can maybe answer here on stackoverflow, where it can be easier to find, I believe (https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature).

I'm running ubuntu with Secure Boot on. Everything works fine when I use a kernel that comes packaged from cannonical. Still, I have issues running a self-signed kernel (this is actually an externally built kernel, that I have verified and want to use for my own machine). I'm pretty sure my signature with MOK key is OK (verification below), but still when I try to boot the kernel from grub, after selecting the correct entry, I get an error that reads "Loading ... error: bad shim signature." I'm wrapping my head around it and can't find a solution. Why, even though both kernels are signed with MOK keys, one of them works and the other doesn't?

Here's info about kernel signatures:

root@T495:~# sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem /boot/vmlinuz
Image was already signed; adding additional signature

root@T495:~# sbverify --list /boot/vmlinuz
signature 1
image signature issuers:
 - /C=PL/ST=Poznan/L=Poznan/O=none/CN=Secure Boot Signing/emailAddress=example@example.com
image signature certificates:
 - subject: /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot Signing/emailAddress=example@example.com
   issuer:  /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot Signing/emailAddress=example@example.com
signature 2
image signature issuers:
 - /CN=ubuntu Secure Boot Module Signature key
image signature certificates:
 - subject: /CN=ubuntu Secure Boot Module Signature key
   issuer:  /CN=ubuntu Secure Boot Module Signature key


And here about MOK keys:

root@T495:~# openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -fingerprint -noout
SHA1 Fingerprint=81:A2:93:CB:06:6F:52:BA:D9:E2:39:68:9D:FA:E2:2B:0C:95:3C:F7
root@T495:~# mokutil --list-enrolled | grep "81:a2:93"
SHA1 Fingerprint: 81:a2:93:cb:06:6f:52:ba:d9:e2:39:68:9d:fa:e2:2b:0c:95:3c:f7

If there are any docs that help understand that, I'm happy to be redirected there :)

piontec

reply via email to

[Prev in Thread] Current Thread [Next in Thread]