On 2023-07-17 09:29 PM, Sergey Filatov wrote:
So the boot sequence in my case is this:
EFI -> shim -> MOK-signed GRUB2 with MOK-signed modules -> MOK-signed
Linux kernel
From what I've learned you don't need shim at all, you can boot a signed
grub and kernel directly.
Apparently you can chainload Windows using shim because it's an MS
signed binary but I never got it to work.
If you just want Linux to boot have a look at:
https://www.reddit.com/r/archlinux/comments/10pq74e/my_easy_method_for_setting_up_secure_boot_with/
My general method was:
- Get UEFI boot working first
- Delete all the secure boot keys from your BIOS, ensure setup mode is
enabled
- Boot and set up and sign everything with sbctl
- Enable secure boot in the BIOS, boot
- If it doesn't work, enter your BIOS, delete all the keys and go to
setup mode again
- Try again
Cheers.
P.S. Always use --disable-shim-lock when installing grub
--
Simon Perry (aka Pezz)
