Signing kernel

Andy Whitcroft apw at
Wed Sep 25 15:10:55 UTC 2013

On Wed, Sep 25, 2013 at 05:11:57PM +0300, Dmitry Kasatkin wrote:

> I took ownership of the platform by enrolling my own keys: PK, KEK and db.
> And I do signing using sbsign.
> UEFI is able to boot my kernel directly or using UEFI bootloaders such
> as gummiboot.
> But Ubuntu grub does not want to boot it.
> I thought it should use "db" keys to verify.
> Or does it use only Canonical key?

Ok grub2 uses the signature validation service that the 'shim' which loaded
grub installed.  Looking at that code it seems to only to check things
aginst the key the shim was built with and with any added vendor keys.
I think the expect you to rebuild and resign shim if you are replacing
the KEK, or to boot things directly from efi as you have replaced the
KEK and can sign yourself.

You might want to bring this up on the ubuntu-installer list, as the
experts in this functionality hang out there.


More information about the kernel-team mailing list