Bug#1033657: grub-efi-arm64-signed: Secure Boot not working on arm64
Emanuele Rocca
ema at debian.org
Mon Apr 3 10:44:17 BST 2023
On 2023-03-29 04:13, Emanuele Rocca wrote:
> We need to be able to reproduce the issue (a) with a self-signed
> version of grub.
I did manage to reproduce with a self-signed grub by using a new key
instead of the one included in AAVMF_VARS.snakeoil.fd. The latter is
included in PK and DB, while to reproduce we need a key present in MOK
only.
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/"
openssl x509 -inform der -in MOK.der -out MOK.pem
After enrolling the key from fwsetup, I could get the exact same error
with a self-signed grub as I get with the one signed with Debian CA:
grub> linux /vmlinuz-6.1.0-7-arm64.onlymok
grub> boot
[Security] 3rd party image[0] can be loaded after EndOfDxe: MemoryMapped(0x2,0x6A045000,0x6C735DC0).
DxeImageVerificationLib: Image is signed but signature is not allowed by DB and SHA256 hash of image is not found in DB/DBX.
The image doesn't pass verification: MemoryMapped(0x2,0x6A045000,0x6C735DC0)
error: cannot load image.
More information about the Pkg-grub-devel
mailing list