Re: UEFI secure boot issue

To: Bhasker C V <bhasker@unixindia.com>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: UEFI secure boot issue
From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 20 Jun 2024 10:56:23 -0400
Message-id: <[🔎] CAH8yC8m951bQ_yCej3ihKFFxoyU0ZsTWRxQ-4Z3nWSfRLXLCAw@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] CAPLCSGCRCPV=6ivLve+R14WOT2cr8RVXKfG7Wgbr8tdDy1CSdw@mail.gmail.com>
References: <[🔎] CAPLCSGCRCPV=6ivLve+R14WOT2cr8RVXKfG7Wgbr8tdDy1CSdw@mail.gmail.com>

On Thu, Jun 20, 2024 at 9:23 AM Bhasker C V <bhasker@unixindia.com> wrote:
>
> I generated a pr/pk pair and the kernel is signed. Placed them in the
> kernel tree and compiled the kernel.

I don't think you are supposed to check-in/compile-in the private key.
It is usually supposed to stay private.

> Could someone tell me what am I doing wrong please ?
>
> Below is the status (I am using loader.efi from linuxfoundation)
> When i boot debian stock kernel signed, i see that the secure boot
> gets enabled (hence bios and everything else seems to be fine with the
> same UEFI loader).
> However, when I boot the compiled kernel I get
>
> $ dmesg | grep -i secure
> [    0.007085] Secure boot could not be determined
>
>
> $ sbverify --list bootx64.efi
> warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections?
> signature 1
> image signature issuers:
>  - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
> Corporation UEFI CA 2011
> image signature certificates:
>  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
>    issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
>  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
>    issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation Third Party Marketplace Root
> $ sbverify  --list ./loader.efi
> signature 1
> image signature issuers:
>  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> image signature certificates:
>  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
>    issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> $ sbverify  --list ../../linux/k.bcv
> signature 1
> image signature issuers:
>  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> image signature certificates:
>  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
>    issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv


Have a look at <https://wiki.debian.org/SecureBoot>, and the use of
the Machine Owner Key (MOK).

Jeff

Reply to:

Follow-Ups:
- Re: UEFI secure boot issue
  - From: Bhasker C V <bhasker@unixindia.com>

References:
- UEFI secure boot issue
  - From: Bhasker C V <bhasker@unixindia.com>

Prev by Date: Re: testing, various tmpfs /run directories, df -x tmpfs
Next by Date: Re: suggestion of upgrade to 12
Previous by thread: UEFI secure boot issue
Next by thread: Re: UEFI secure boot issue
Index(es):
- Date
- Thread