I’ve replaced PK and KEK with my own keys.
Among others I have added the Debian key from
https://dsa.debian.org/secure-boot-ca
to db.
But with secure boot activated framework refuses to start signed Debian
kernels (tried vmlinuz-5.18.0-3-amd64 and vmlinuz-5.18.0-4-amd64).
Yet sbverify says ‘Signature verification OK’.
I’ve enrolled the Debian certificate from BIOS and with
efi-updatevar both with the same result.
I tried to start the kernel from refind, efi-shell and with F3.
As a cross-check, I’ve also installed the Canonical signature and tried
to start an Ubuntu kernel, which succeeded.
Does anybody know, what goes wrong here? Was anybody able to start a Debian
kernel under secure boot without using shim or signing it by himself?