Changes

* Generate your own keys for Secure Boot: PK, KEK, db

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$CN PK, O=$O/" -keyout PK.key -out PK.crt -days 7300 -nodes -sha256

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$CN KEK, O=$O/" -keyout KEK.key -out KEK.crt -days 7300 -nodes -sha256

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$CN db, O=$O/" -keyout db.key -out db.crt -days 7300 -nodes -sha256

* Convert open part of the keys to the ESL format understood for UEFI

UUID=$(uuidgen --random)

cert-to-efi-sig-list -g $UUID KEK.crt KEK.esl

cert-to-efi-sig-list -g $UUID db.crt db.esl

* Sign ESL files

sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth

sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth

sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth

* At this stage your are ready to sign GRUB EFI binary and add it to the list of binaries allowed by Secure Boot