Shim: System is compromised when using certificate, but not with hash

  Kiến thức lập trình

I am trying to boot a Linux kernel with efi stub enabled using Red Hat’s Shim

I can boot the system if I enroll the hash of my efi stub (selecting GRUBX64.EFI), but shim says the system is compromised when i enroll its certificate. I’d like to use a certificate so I can update without having to re-enroll.

Shim version: 15.8-3, extracted from Fedora rpm (signed by Microsoft).

Compiling Linux 6.9.7 (Buildroot) with EFI_STUB=y. Outputs bzImage.

Adding SBAT using script from -s .sbat sbat.csv -z .sbat -i bzImage -o bzImage.sbat where sbat.csv:

sbat,1,SBAT Version,sbat,1,


openssl req 
        -new -x509 -newkey rsa:2048 
        -nodes -days 36500 -outform DER 
        -keyout "mok.priv" 
        -out "mok.der" 
        -subj "/CN=Rescue/"

openssl x509 -in mok.der -inform DER -outform PEM -out mok.pem

sbsign --key mok.priv --cert mok.pem --output bzImage.signed bzImage.sbat

Then using genimage ( to create img:

# file genimage.cfg

image efi-part.vfat {
    vfat {
        file EFI/BOOT/BOOTX64.EFI {
            image = "shimx64.efi"

        file EFI/BOOT/MMX64.EFI {
            image = "mmx64.efi"

        file EFI/BOOT/GRUBX64.EFI {
            image = "bzImage.signed"

        file MOK.DER {
            image = "mok.der"
    size = 16M

image disk.img {
    hdimage {
        partition-table-type = "gpt"

    partition boot {
        image = "efi-part.vfat"
        partition-type-uuid = U
        offset = 32K
        bootable = true
genimage -c genimage.cfg # Outputs disk.img

I have verified that GRUBX64.EFI isn’t changed by genimage with sbverify --cert mok.pem GRUBX64.EFI

Tested by writing to USB (dd …) and booting on Surface Go 2, and in the following vm, with the same results:


set -Eeuxo pipefail

OVMF_VARS="$(basename "${OVMF_VARS_ORIG}")"

if [ ! -e "${OVMF_VARS}" ]; then
        cp "${OVMF_VARS_ORIG}" "${OVMF_VARS}"

        -cpu host -smp cores=1,threads=1 -m 4096 
        -object rng-random,filename=/dev/urandom,id=rng0 
        -device virtio-rng-pci,rng=rng0 
        -name "${MACHINE_NAME}" 
    -drive format=raw,file="disk.img" 
        -net nic,model=virtio -net user,hostfwd=tcp::${SSH_PORT}-:22 
        -vga virtio 
        -machine q35,smm=on 
        -drive if=pflash,format=raw,unit=0,file="${OVMF_CODE}",readonly=on 
        -drive if=pflash,format=raw,unit=1,file="${OVMF_VARS}" 
        -global driver=cfi.pflash01,property=secure,value=on 

I have tried signing with pesign, but it didn’t make a difference:

#!/usr/bin/env bash

mkdir db
certutil -d db -N --empty-password

efikeygen -d db 

certutil -d db -L -n "Rescue" -r > mok.der
pesign --force -s -n db -c "Rescue" -i bzImage.sbat -o bzImage.signed

What am I doing wrong?

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website