How/what to sign so that secure boot can be enabled

[rickhg12hs]

Do you have a recommended procedure for signing GLIM's bits so that secure boot can stay enabled on systems that I control?

[thias]

I honestly have no idea. A quick search seems to indicate that it might not be that easy, or even possible at all.

https://askubuntu.com/questions/642653/loopback-module-for-grub-with-secure-boot

If you do find a way, please share! :-)

[ValdikSS]

See https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk

Basically, to boot a Linux kernel with Secure Boot enabled with unpached GRUB2 using linux command you don't need to do additional steps. You only need to add GRUB2 certificate into Secure Boot db and boot it.
GRUB2 versions with Secure Boot hardening patches (which are found in Ubuntu and Fedora/CentOS at least) need additional steps/patches, as they either replace linux with linuxefi or boot Linux kernel using UEFI LoadImage and StartImage functions.

[rickhg12hs]

I've already enrolled a key in the MOK to sign kernel modules I've compiled for Fedora. Am I an easy step away from being able to securely boot from the USB drive?

[ValdikSS]

It depends on what you want to achieve. If you only want to boot Fedora from HDD or ISO on your current PC with enrolled key, you can probably use signed shim (from shim package) and grub2 (from grub2-efi-x64 package) from Fedora. This bundle does not require key enrolling at all, but it would boot only Fedora.

If you want to boot other Linux distros, you'd better use Super UEFIinSecureBoot Disk. Another option is to use unpached GRUB2 (not from Fedora or Ubuntu) with signed shim <= 0.4, it will boot any Linux distribution after GRUB2 hash or key enrolling using MokManager.

If you don't want to use Microsoft certificate, if you want to take ownership of UEFI platform and enroll your own keys, you can sign your own shim and grub.

[morfikov]

There's a way. You have to create grub as an image using grub-mkstandalone . In this way there would be just one binary that will be loaded by, for instance, rEFInd and this image should be signed by end user or the hash of the image should be added to the shim's MOK database. Also you can use shim signed by Microsoft. Look at how ubuntu live is booted. It has EFI/BOOT/grubx64.efi and EFI/BOOT/BOOTx64.EFI and one is signed by Canonical and the other by MS. If you have Canonical's cert in firmware's database, you can use the first option to boot. If you only have MS cert, you can boot using the fallback option. Some similar solution would be nice to have.