#Can't boot to signed UKI image

So I set up my PK, KEK, and db entries on the bootloader. And made patches to append to the lists the original entries that came with the computer (by converting back and forth).

So now my efivars look like this:

• PK: MyKey
• KEK: MyKey + 2xMicrosoft + Laptop manufacturer
• db: MyKey + 5xMicrosoft + Laptop Manufacturer
• dbx: Some things that came pre-excluded

I've signed the systemd-boot efi binary, and it loads no problem, and can boot Windows with secureboot capabilities perfectly.
I've also set up sbctl to use my keys to sign kernel images when remade via mkinicpio, and in theory that works too.

But when booting to linux I get this error message and I have no Idea what it could be.

This is what I get when running sbctl verify

(+ all the windows junk)

what happens if you sbctl sign-all, or sbctl sign <path to that unsigned file> ?

My curret set up is mkinitcpio is what calls sbctl to sign the kernel images and generate my UKIs

And I have my keys configured at /etc/sbctl/sbctl.conf

It's odd that it gets a green tick here but the verification fails

Yeah

Does it still complain at boot with that geen tick there?

yep

This is what I get when I enable secureboot and try to load the UKI

(Windows works fine tho, so the bootloader, that's signed with the same db keys works....)

I've also set up a pacman hook to sign the bootloader /etc/pacman.d/hooks/80-secureboot.hook

That signs these files /usr/lib/systemd/boot/efi/systemd-boot*.efi

And taht seems to be working fine

What's sbverify? I don't seem to have that 🤔

It should be pretty automagic. Just installing sbctl puts the hook into pacman

The red error here I think is most worth chasing down. It could be that your linux-zen kernel is now signed ok (green tick), but the bootloader is not happy

That's what the red error suggests to me

It's from sbsigntools

Yeah haha, but I've not been able to foind anything online so far

hmm 🤔

I wonder how good this tool is

I am 110% secure booting on this machine

https://bbs.archlinux.org/viewtopic.php?id=309025 maybe

links to https://github.com/Foxboron/sbctl/issues/462

I think you should delete (or back up) the kernel that is complaining, re-install the kernel and give it another spin

Weird thing is that my mkinitcpio is saying everything is oK

(I've disabled the sbctl config in that run

This is now a uki? You were signing vmlinuz here?

Uki is easier, fwiw

Less to sign, less to go wrong

I'm booting to a UKI

it just... also generates the vmlinuz.... and leaves unsigned

But I did sign it jus tto try

Sorry I overlooked that it was a .efi in your first image

No worries 😄

The kernel doesn't need to be signed if you're using UKI, as the UKI itself gets signed

I've disabled sbctl and regenerated the uki, and it just says no signature table found, so I don't think it's a double signature problem

Did you enroll your keys?

wdy mean enrroll?

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Creating_and_enrolling_keys

I added them to the EFI vars via KeyTool

Oh I did not run those commands because I did the setup manually, as I generated the keys myself

I think you should have done that from inside sbctl, so it knows where the keys live

There's import-keys ?

I'll try that

As an aside, seeing as you are using UKI, you could dodge the bootloader entirely, if you put the UKI at the UEFI fallback position like I do here

and here's a log-roll from reinstalling the kernel. This is the kinda thing you want to see

Ahammmmmm

Interesting

The plot thickens!

lemme check my db cert generation

cause this is weird

For my experience, I just did all of this from inside sbctl. I let it make its own keys, enroll (microsoft cosigned) and sign

like 3 or 4 commands and it was done (not saying you should do that, just describing)

Wait wot

wdymean 0 bytes

Very smol key 🤏

I may have accidentally touched it

well, thank god I have backups XD

Also, setting up sshkeys so that I manage any of my computers from a single one is full glory

Ok I know exaclty how I botched my dk keys

Well, time to test if that works

It worked!

Thanks @hot crown

mushroom.botherer received a thank you cookie!

Also, don't you happen to know how to check if things like the nviida driver are loaded?

I've haerd that when secure booting sometimes they don't load correctly and have to change some configs.

nvidia-smi is the easiest way, it will complain if it's not set up

otherwise lspci -k | grep -iA3 vga will interrogate lspci and spit out the "vga" line and 3 lines after, which should say the modules and drivers that are running

This keeps apperaing but it works

¯_(ツ)_/¯

Holy rabbithole XD

I think that's systemd-boot 🤔

This is worth considering, if you're not using the bootloader to manage snapshots or dual-booting

I am dual booting windows sadly