I've verified this using the gist at https://gist.github.com/smoser/86781865f7191bbb790c74453967f28c (which is also attached). $ lxc launch ubuntu:jammy j1 $ lxc exec j1 /bin/bash % echo deb http://archive.ubuntu.com/ubuntu jammy-proposed main restricted > /etc/apt/sources.list.d/proposed.list % apt-get update % apt-get install --no-install-recommends --assume-yes \ mtools dosfstools qemu-system-x86 qemu-utils % git clone https://gist.github.com/86781865f7191bbb790c74453967f28c.git gist % cd gist % ./collect-ovmf ovmf-jammy-proposed ... wrote PkKek-1-snakeoil.pem from /usr/share/ovmf/PkKek-1-snakeoil.pem linked from signing.pem to PkKek-1-snakeoil.pem wrote PkKek-1-snakeoil.key from /usr/share/ovmf/PkKek-1-snakeoil.key linked from signing.key to PkKek-1-snakeoil.key wrote signing.password from text wrote OVMF_VARS_4M.fd from /usr/share/OVMF/OVMF_VARS_4M.fd wrote OVMF_CODE_4M.secboot.fd from /usr/share/OVMF/OVMF_CODE_4M.secboot.fd wrote OVMF_VARS_4M.snakeoil.fd from /usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd linked from ovmf-insecure-code.fd to OVMF_CODE_4M.secboot.fd linked from ovmf-insecure-vars.fd to OVMF_VARS_4M.fd linked from ovmf-secure-code.fd to OVMF_CODE_4M.secboot.fd linked from ovmf-secure-vars.fd to OVMF_VARS_4M.snakeoil.fd % cat ovmf-jammy-proposed/firmware-info.yaml release: jammy packages: ovmf: "2022.02-3ubuntu0.22.04.1" % sbsign \ --key=ovmf-jammy-proposed/signing-nopassphrase.key \ --cert=ovmf-jammy-proposed/signing.pem \ --output=esp-jammy-proposed/hello-signed.efi \ HelloWorld.efi warning: data remaining[45056 vs 54568]: gaps between PE/COFF sections? Signing Unsigned original image % sbverify --list esp-jammy-proposed/hello-signed.efi warning: data remaining[46760 vs 56272]: gaps between PE/COFF sections? signature 1 image signature issuers: - /C=US/ST=Colorado/L=Fort Collins/O=SnakeOil image signature certificates: - subject: /C=US/ST=Colorado/L=Fort Collins/O=SnakeOil issuer: /C=US/ST=Colorado/L=Fort Collins/O=SnakeOil % ./gen-esp create esp-jammy-proposed.img esp-jammy-proposed/hello-signed.efi:hello-signed.efi creating image 128MB in esp-jammy-proposed.img EFI/BOOT/HELLO-SIGNED.EFI -> EFI/BOOT/HELLO-SIGNED.EFI ## local change to disable kvm , as it wont work in container % git diff diff --git a/boot-vm b/boot-vm index 96217d7..cac7f4d 100755 --- a/boot-vm +++ b/boot-vm @@ -75,7 +75,7 @@ main() { # -object rng-random,filename=/dev/urandom,id=rng0 \ # -device virtio-rng-pci,rng=rng0 \ set -- qemu-system-x86_64 \ - -M "q35,smm=on,accel=kvm" \ + -M "q35,smm=on" \ -m 1024 \ -vga none -serial mon:stdio \ -global "driver=cfi.pflash01,property=secure,value=on" \ % ./boot-vm ovmf-jammy-proposed esp-jammy-proposed.img ... Shell> fs0: FS0:\> cd efi\boot FS0:\efi\boot\> HELLO-SIGNED.EFI ������������������������������������������������������������������������Ŀ � HelloWorld � � � � This file is used to prove you have managed � � To execute an unsigned binary in secure boot mode � � � � � � � � � � � � � � � � � � ����Ŀ � � � OK � � � ����� � � � � � � � � � � � � � � � ������������������������������������������������������������������������