Custom-signed EFI binaries fail with 0x1A security violation on 15.4-5; works with 15-5 #373
Comments
|
Hi! The most likely cause will be that your old binaries don't include SBAT metadata, and that's a hard requirement now when you're using shim 15.3 onwards. If you're not sure what that is, see https://github.com/rhboot/shim/blob/main/SBAT.md |
|
I saw mentions of SBAT in the 15.4 changes but didn't realize that it applied to binaries as well as the firmware. I'll look into adding SBAT sections to the binaries. Thanks for the pointer. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm currently using shim-15-5 on Gentoo, which uses Fedora's 15-5 binary packages. I have a custom Secure Boot key enrolled using Mok and everything's working fine.
On upgrading to shim-15.4-5 manually (since this version isn't in Gentoo yet), all self-signed EFI executables that previously worked with 15-5 are now failing with
0x1A security violationin the shim loader.I'm unsure what would be causing this, since everything works fine with 15-5.
Signing command I'm using for GRUB: (using sbsigntool-0.9.4)
sbsign --key MOK.priv --cert MOK.pem --output /boot/efi/EFI/gentoo/grubx64.efi grubx64.efiThe text was updated successfully, but these errors were encountered: