Hi @Cassidy_Wilson, there are a couple of things this could be. Have you verified that your unified kernel image is really being signed? You should see some warnings about “PE/COFF” section sizes if it is. Alternatively, did you enroll the PK after you enrolled KEK and db? You can check that your keys are there by using mokutil --pk (or looking in the firmware interface).
Another possible issue could be that the firmware doesn’t know about your image. I think sbupdate should take care of that, but you can check bootctl or efibootmgr to see if something is pointing there.
1 Like
Thanks for the response! I figured out soon after I typed that comment that my boot loader hadn’t been signed, so I had to do that.
Now that is really interesting!
Seconded. Definitely seconded!
If somebody is interested, I developed a tool to sign EFI files (linux + initramfs), which mount a dm-verify verified squashfs at boot, which also provides A/B-style updates/rollback.
Using the TPM2.0 for disk encryption is possible with systemd-cryptenroll and tpm2-totp also works in the initramfs.
Since I am probably the only user, this is not considered production ready. At the moment it also only works on Arch Linux, but I will add at least debian in the future.
https://aur.archlinux.org/packages/verify-squash-root
5 Likes
Since I don’t know a lot about Secure Boot, I’d really love a step-by-step. I want to use Linux and be as secure as possible. I currently use Arch Linux and a LUKS / partition, but would be interested in your setup.
Thanks for the post and I’ll be interested in anything further you document.
@Paulie420 check two posts above and you have your step by step guide