I have created and enrolled my own custom PK, KEK, and db keys into the firmware. I created a MOK key and enrolled it into the MOK list using mokutil --import. (I had to run mmx65.efi manually. see previous post about possible bug) using mokutil, I can see all keys are present. secure boot is enabled. I signed shimx64.efi with my db.key/.crt.
As a test, I did NOT sign grubx64.efi or the kernel.
The expected result should have been that the computer should not have booted. But the computer did boot into the OS. My conclusion is that shim is not checking the grub and/or grub is not checking the kernel for proper signing. i.e. the files were still signed with the old keys.
Is there anything that I'm doing wrong. Do I need a newer version of shim or grub? Forgetting a step? Please Help. Thanks.
Custom kernel/grub Secure Boot Keys Ignored
Re: Custom kernel/grub Secure Boot Keys Ignored
There is a problem with the current version of shim as seen in CentOS bug #14050. Hopefully this will be taken care of with the next point release 7.5.
CentOS Forum FAQ