On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote: > Hi again. I tried to boot from UKI to no avail. > > First created a "db" certificate > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem > > openssl x509 -outform DER -in db.pem -out db.crt > > Then uploaded it to secure boot trust VIA USB drive and the UEFI seup. > > Then created UKI: > > /usr/lib/systemd/ukify \ > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \ > > /boot/initramfs-6.4.12-200.fc38.x86_64.img \ > > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \ > > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \ > > --phases='enter-initrd' \ > > --pcr-banks=sha1,sha256 \ > > --secureboot-private-key=/etc/secure_boot/db.key \ > > --secureboot-certificate=/etc/secure_boot/db.pem \ > > --sign-kernel \ > > --cmdline='ro rhgb' > > Then added a boot entry: > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI" > > Unfortunately when trying to boot this I get: > > Bad kernel image: Load Error That suggests the kernel you picked does not carry a correct PE/MZ signature. i.e. we generate that error typically if we can#t jump into it because it doesn't come with the right PE headers. Lennart -- Lennart Poettering, Berlin