You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I used pesign for signing shim (https://github.com/rhboot/shim), new UEFI BIOS does not validate shim's signature. To verify whether I have signed properly, I signed a grubx64.efi image using the same process, grubx64.efi signature was successfully verified by UEFI BIOS. I used the following method to sign shim and grub
Generated keys (PK.crt (CA), db.key, db.crt, db.p12)
Create certificate db and add required certificates
mkdir certdb
certutil -N -d certdb
certutil -A -n 'PK' -d certdb -t CT,CT,CT -i ../keys/PK.crt #(Add PK.crt))
pk12util -d certdb -i db.p12 #(Add db.p12)
certutil -d certdb -A -i ../keys/db.crt -n "my Signature Database key" -t u #(Add db certificate)
Sign using pesign
To verify the signature I used sbverify tool (I could not find any other better tool)
sbverify --cert db,crt grubx64_pesign_signed.efi
Output: Signature verification OK
sbverify --cert db.crt shimx64_pesign_signed.efi
Output:
warning: data remaining[1124760 vs 1282576]: gaps between PE/COFF sections?
Signature verification OK
I think the warning might be the cause for signature verification failure?
Could you please advice on how to resolve this?
The text was updated successfully, but these errors were encountered:
I used pesign for signing shim (https://github.com/rhboot/shim), new UEFI BIOS does not validate shim's signature. To verify whether I have signed properly, I signed a grubx64.efi image using the same process, grubx64.efi signature was successfully verified by UEFI BIOS. I used the following method to sign shim and grub
Generated keys (PK.crt (CA), db.key, db.crt, db.p12)
Create certificate db and add required certificates
mkdir certdb
certutil -N -d certdb
certutil -A -n 'PK' -d certdb -t CT,CT,CT -i ../keys/PK.crt #(Add PK.crt))
pk12util -d certdb -i db.p12 #(Add db.p12)
certutil -d certdb -A -i ../keys/db.crt -n "my Signature Database key" -t u #(Add db certificate)
Sign using pesign
pesign -n certdb -c "my Signature Database key" -s -i grubx64.efi -o grubx64_pesign_signed.efi
pesign -n certdb -c "my Signature Database key" -s -i shimx64.efi -o shimx64_pesign_signed.efi
To verify the signature I used sbverify tool (I could not find any other better tool)
sbverify --cert db,crt grubx64_pesign_signed.efi
Output: Signature verification OK
sbverify --cert db.crt shimx64_pesign_signed.efi
Output:
warning: data remaining[1124760 vs 1282576]: gaps between PE/COFF sections?
Signature verification OK
I think the warning might be the cause for signature verification failure?
Could you please advice on how to resolve this?
The text was updated successfully, but these errors were encountered: