You are not logged in.

#1 2022-12-24 17:20:32

Registered: 2015-07-11
Posts: 43

[SOLVED] Signed official iso secure boot fails

I built a signed official iso using these instructions: … ustom_keys
However, the firmware refuses to boot it, saying "Operating system loader failed signature verification".

I mounted the USB stick partitions and verified (sbverify) that all five files are correctly signed with the MOK. This is the same MOK that I use for normal booting from the hard drive.

I'm wondering if there is something else on the USB drive that has to be signed. Any ideas?


Based on reading the NSA document … 200915.PDF I think that the MOK is useless without shim, and the instructions do not install shim. Has anyone tried this and gotten it to work?

Last edited by mz (2022-12-24 19:24:53)


#2 2022-12-24 18:12:45

The Evil Wiki Admin
Registered: 2016-07-02
Posts: 668

Re: [SOLVED] Signed official iso secure boot fails

That's because the UEFI doesn't read the MokList. MOKs are a shim-specific thing and the ISO doesn't contain shim.

It could be possible to place the shim EFI binaries in /EFI/BOOT/BOOTx64.EFI & /EFI/BOOT/BOOTIA32.EFI and place the standalone GRUB EFI binaries in /EFI/BOOT/grubx64.efi & /EFI/BOOT/grubia32.efi, but reusing the standalone GRUB from the ISO is not possible since it was created with --disable-shim-lock (without that option, it is not possible to use Secure Boot signed GRUB without shim; see … a76b1c69e3 ).

A not so pretty solution would be to create the GRUB EFI binaries yourself. E.g. something like this (untested):

$ cat <<'EOF' > /tmp/grub.cfg
if ! [ -d "$cmdpath" ]; then
    # On some firmware, GRUB has a wrong cmdpath when booted from an optical disc.
    if regexp --set=1:isodevice '^(\([^)]+\))\/?[Ee][Ff][Ii]\/[Bb][Oo][Oo][Tt]\/?$' "$cmdpath"; then
configfile "${cmdpath}/grub.cfg"
$ grub-mkstandalone -O i386-efi \
	--modules="all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd" \
	--locales="en@quot" \
	--themes="" \
	--sbat=/usr/share/grub/sbat.csv \
	-o grubia32.efi "boot/grub/grub.cfg=/tmp/grub.cfg"
$ grub-mkstandalone -O x86_64-efi \
	--modules="all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd" \
	--locales="en@quot" \
	--themes="" \
	--sbat=/usr/share/grub/sbat.csv \
	-o grubx64.efi "boot/grub/grub.cfg=/tmp/grub.cfg"
$ sbsign ...
$ mcopy -D oO -i eltorito_img2_uefi.img grubx64.efi grubia32.efi ::/EFI/BOOT/
$ mcopy -D oO -i eltorito_img2_uefi.img shellx64.efi shellia32.efi ::/
$ mcopy -D oO -i eltorito_img2_uefi.img /usr/share/shim-signed/shimx64.efi ::/EFI/BOOT/BOOTx64.EFI
$ mcopy -D oO -i eltorito_img2_uefi.img /usr/share/shim-signed/shimia32.efi ::/EFI/BOOT/BOOTIA32.EFI
$ xorriso -indev archlinux-YYYY.MM.DD-x86_64.iso \
	-outdev archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso \
	-boot_image any replay \
	-append_partition 2 0xef eltorito_img2_uefi.img \
	-map /usr/share/shim-signed/shimx64.efi /EFI/BOOT/BOOTx64.EFI \
	-map /usr/share/shim-signed/shimia32.efi /EFI/BOOT/BOOTIA32.EFI \
	-map grubx64.efi /EFI/BOOT/grubx64.efi \
	-map grubia32.efi /EFI/BOOT/grubia32.efi \
	-map shellx64.efi /shellx64.efi \
	-map shellia32.efi /shellia32.efi \
	-map vmlinuz-linux /arch/boot/x86_64/vmlinuz-linux

It's entirely possible that eltorito_img2_uefi.img will not have enough free space. You can omit touching the IA32 stuff and maybe it will fit.

Edit: quoted 'EOF'.

Last edited by nl6720 (2022-12-24 18:17:52)


#3 2022-12-24 19:23:59

Registered: 2015-07-11
Posts: 43

Re: [SOLVED] Signed official iso secure boot fails

So I guess that the wiki instructions could have worked if I had originally set up secure boot this way: … r_own_keys

instead of this way: … oot_loader.


Better results using mkarchiso and the patch referenced here:

Last edited by mz (2022-12-24 23:32:54)


Board footer

Powered by FluxBB