That is, I had created and installed unique PK, KEK & db keys:
ubuntu@disco:~$ sudo mokutil --pk | grep Issuer
Issuer: CN=my Platform Key
ubuntu@disco:~$ sudo mokutil --kek | grep Issuer
Issuer: CN=my Key Exchange Key
ubuntu@disco:~$ sudo mokutil --db | grep Issuer
Issuer: CN=my Signature Database key
ubuntu@disco:~$ sudo mokutil --dbx | grep Issuer
ubuntu@disco:~$
I had signed shim w/ my custom db key:
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/EFI/ubuntu/shimaa64.efi
warning: data remaining[836920 vs 900344]: gaps between PE/COFF sections?
Signature verification OK
And apparently GRUB as well:
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/EFI/ubuntu/grubaa64.efi
Signature verification OK
While the kernel is an unmodified signed Canonical image.
Some package versions:
ubuntu@disco:~$ dpkg -l | grep -e shim
ii shim 15+1552672080.a4a1fbe-0ubuntu1 arm64 boot loader to chain-load signed boot loaders under Secure Boot
ii shim-signed 1.40~uefi1+dannf.1+15+1552672080.a4a1fbe-0ubuntu1 arm64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@disco:~$ dpkg -l | grep grub
ii grub-common 2.02+dfsg1-12ubuntu2.1 arm64 GRand Unified Bootloader (common files)
ii grub-efi-arm64 2.02+dfsg1-12ubuntu2.1 arm64 GRand Unified Bootloader, version 2 (ARM64 UEFI version)
ii grub-efi-arm64-bin 2.02+dfsg1-12ubuntu2.1 arm64 GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
ii grub-efi-arm64-signed 1.115+2.02+dfsg1-12ubuntu2 arm64 GRand Unified Bootloader, version 2 (EFI-ARM64 version, signed)
ii grub2-common 2.02+dfsg1-12ubuntu2.1 arm64 GRand Unified Bootloader (common files for version 2)
ubuntu@disco:~$ dpkg -l | grep linux-image
ii linux-image-5.0.0-36-generic 5.0.0-36.39 arm64 Signed kernel image generic
ii linux-image-5.0.0-37-generic 5.0.0-37.40 arm64 Signed kernel image generic
ii linux-image-virtual 5.0.0.37.39 arm64 Virtual Linux kernel image
And from the host:
ii qemu-efi-aarch64 0~20191122.bd85bf54-1 all UEFI firmware for 64-bit ARM virtual machines
I dug up my arm64/disco VM that I had hacked up to test this shim build before MS had signed it:
ubuntu@disco:~$ sudo mokutil --sb-state
SecureBoot enabled
So what's the relevant difference between this working config and the broken one?
Looks like I had set it up following: /wiki.archlinux .org/index. php/Secure_ Boot
https:/
That is, I had created and installed unique PK, KEK & db keys:
ubuntu@disco:~$ sudo mokutil --pk | grep Issuer
Issuer: CN=my Platform Key
ubuntu@disco:~$ sudo mokutil --kek | grep Issuer
Issuer: CN=my Key Exchange Key
ubuntu@disco:~$ sudo mokutil --db | grep Issuer
Issuer: CN=my Signature Database key
ubuntu@disco:~$ sudo mokutil --dbx | grep Issuer
ubuntu@disco:~$
I had signed shim w/ my custom db key: EFI/ubuntu/ shimaa64. efi
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/
warning: data remaining[836920 vs 900344]: gaps between PE/COFF sections?
Signature verification OK
And apparently GRUB as well: EFI/ubuntu/ grubaa64. efi
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/
Signature verification OK
While the kernel is an unmodified signed Canonical image.
Some package versions: a4a1fbe- 0ubuntu1 arm64 boot loader to chain-load signed boot loaders under Secure Boot dannf.1+ 15+1552672080. a4a1fbe- 0ubuntu1 arm64 Secure Boot chain-loading bootloader (Microsoft-signed binary) 12ubuntu2. 1 arm64 GRand Unified Bootloader (common files) 12ubuntu2. 1 arm64 GRand Unified Bootloader, version 2 (ARM64 UEFI version) 12ubuntu2. 1 arm64 GRand Unified Bootloader, version 2 (ARM64 UEFI modules) arm64-signed 1.115+2. 02+dfsg1- 12ubuntu2 arm64 GRand Unified Bootloader, version 2 (EFI-ARM64 version, signed) 12ubuntu2. 1 arm64 GRand Unified Bootloader (common files for version 2) 5.0.0-36- generic 5.0.0-36.39 arm64 Signed kernel image generic 5.0.0-37- generic 5.0.0-37.40 arm64 Signed kernel image generic
ubuntu@disco:~$ dpkg -l | grep -e shim
ii shim 15+1552672080.
ii shim-signed 1.40~uefi1+
ubuntu@disco:~$ dpkg -l | grep grub
ii grub-common 2.02+dfsg1-
ii grub-efi-arm64 2.02+dfsg1-
ii grub-efi-arm64-bin 2.02+dfsg1-
ii grub-efi-
ii grub2-common 2.02+dfsg1-
ubuntu@disco:~$ dpkg -l | grep linux-image
ii linux-image-
ii linux-image-
ii linux-image-virtual 5.0.0.37.39 arm64 Virtual Linux kernel image
And from the host: bd85bf54- 1 all UEFI firmware for 64-bit ARM virtual machines
ii qemu-efi-aarch64 0~20191122.