Changes
tree /boot/efi/
# You should see the following:
/boot/efi/
├── EFI
├── vmlinuz-4.13.0-1-amd64
└── vmlinuz-4.13.0-1-amd64.sig
2 directories, 8 files
* Reboot once to see if chain from bootloader to the OS works correctly
reboot
* Install keys into EFI (PK last as it will enable Custom Mode locking out further unsigned changes):
efi-updatevar -f db.auth db
efi-updatevar -f KEK.auth KEK
efi-updatevar -f PK.auth PK
* The EFI variables may be immutable (i-flag in lsattr output) in recent kernels (e.g. 4.5.4). Use chattr -i to make them mutable again if you can’t update the variables with the commands above:
chattr -i /sys/firmware/efi/efivars/{PK,KEK,db,dbx}-*
* Review installed certificates
efi-readvar
# You should see the following: Variable PK, length 874 PK: List 0, type X509 Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111 Subject: CN=Your Name PK, O=Your Organisation Name Issuer: CN=Your Name PK, O=Your Organisation Name Variable KEK, length 874 KEK: List 0, type X509 Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111 Subject: CN=Your Name KEK, O=Your Organisation Name Issuer: CN=Your Name KEK, O=Your Organisation Name Variable db, length 874 db: List 0, type X509 Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111 Subject: CN=Your Name db, O=Your Organisation Name Issuer: CN=Your Name db, O=Your Organisation Name Variable dbx has no entries Variable MokList has no entries * RebootFrom now on only EFI binaries signed with any db key can be loaded reboot<br> == See also ==* Original article: [https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed-linux-and-initrd Secure Boot with GRUB 2 and signed Linux images and initrds]<br> [[category:software]][[category:Application notes]][[category:fitlet2]]
