Changes
### as result signatures of these files will be created
* Replace your existent bootloader with signed one
# find your existent bootloader and make a copy of your existent bootloaderit sudo cp BOOTLOADER=$(find /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/bootx64-name "*x64.efi") echo $BOOTLOADER cp $BOOTLOADER $BOOTLOADER".orig"
# place grubx64.efi.signed you've created before as default bootloader
== Testing ==
* At this stage you should see the following in your /boot/efi
tree /boot/efi/
# You should see the following:
/boot/efi/
├── EFI
│ └── debian
│ ├── grubx64.efi
│ └── grubx64.efi.orig
├── grub.cfg
├── grub.cfg.sig
├── initrd.img-4.13.0-1-amd64
├── initrd.img-4.13.0-1-amd64.sig
├── vmlinuz-4.13.0-1-amd64
└── vmlinuz-4.13.0-1-amd64.sig
2 directories, 8 files
* Reboot once to see if chain from bootloader to the OS works correctly
reboot
* Login as super-user again
su -
== Enable Secure Boot ==
* Install keys into EFI (PK last as it will enable Custom Mode locking out further unsigned changes):
== See also ==* From now on only EFI binaries Original article: [https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed -linux-and-initrd Secure Boot with any db key can be loadedGRUB 2 and signed Linux images and initrds]<br>