You are not logged in.
Hi,
I'm using "shim with key" method which is introduced in wiki.
My setup is encrypted /boot with grub and basic linux package (not LTS or anything else).
After entering the password to decrypt the master key, I went into the grub. Then, it went to kernel. However, it stopped and said:
Bootloader has not verified loaded image. System is compromised. halting
I signed the /boot/vmlinuz-linux and esp/EFI/GRUB/grubx64.efi.
After a while of googling, someone said the grub should be patched.
By the way, I booted successfully by using the "shim with hash" method.
Thanks.
Last edited by LEXUGE (2019-06-27 15:30:25)
Offline
By the way, I booted successfully by using the "shim with hash" method.
According to the wiki,
When run, shim tries to launch grubx64.efi. If MokList does not contain the hash of grubx64.efi or the key it is signed with, shim will launch MokManager (mmx64.efi).
Could it be that grubx64.efi has had the hash stored in MokList, causing it to launch the bootloader without launching MokManager to enroll your Machine Owner Key?
Do you recall actually enrolling your Machine Owner Key, or could it be still checking the hash?
In MokManager select Enroll key from disk, find MOK.cer and add it to MokList. When done select Continue boot and your boot loader will launch and it will be capable launching any binary signed with your Machine Owner Key.
Last edited by sabroad (2019-06-27 21:56:51)
--
saint_abroad
Offline
LEXUGE wrote:By the way, I booted successfully by using the "shim with hash" method.
According to the wiki,
When run, shim tries to launch grubx64.efi. If MokList does not contain the hash of grubx64.efi or the key it is signed with, shim will launch MokManager (mmx64.efi).
Could it be that grubx64.efi has had the hash stored in MokList, causing it to launch the bootloader without launching MokManager to enroll your Machine Owner Key?
Do you recall actually enrolling your Machine Owner Key, or could it be still checking the hash?
In MokManager select Enroll key from disk, find MOK.cer and add it to MokList. When done select Continue boot and your boot loader will launch and it will be capable launching any binary signed with your Machine Owner Key.
Hi, there, I reseted the MokList using MokUtil before enrolling MokKey. And I double checked the MokList after enrolling the key. It's just right.
The problem is in GRUB itself. Shim can't cooperate with unpatched(original) GRUB as it mentioned in Shim GitHub issue #172.
To solve that, I'm using my own key. It works perfectly.
Offline