Building shim with more than one certificate #603
Comments
Why not enroll a CA certificate to MokList instead? I've described the process in the context of AlmaLinux ELevate here. Try it, see if it does the job well for you. |
|
Thanks, and sorry, I neglected to mention that my use case does not permit modification of the MOK list. But otherwise, yes, that would work. |
|
I believe you would need VENDOR_DB_FILE instead of VENDOR_CERT_FILE (can only use one or the other, not both). |
|
Thanks Mike! I was not aware of VENDOR_DB_FILE but it does indeed look like what I need along with certutil. I haven't been able to find a definitive guide so I'm slowly piecing the puzzle together. |
|
Can close this issue I guess? (Maybe with separate one requesting more documentation...?? ;-) ) |
|
Apologies for the delay, yes, I'll close it :-) |
I'm trying to understand if this is even possible. Looking at shim.c it would appear that only a single certificate (i.e. make VENDOR_CERT_FILE=pub.cer) can be embedded, however, the shim-review repo README.md implies that more than one certificate can be used: "add any additional binaries/certificates/SHA256 hashes that may be needed"
What I would like to be able to do is keep the existing Fedora certificate for validating kernel and modules but also have my own embedded certificate to validate a customized GRUB image as opposed to adding it to db (i.e. wide distribution, not just my system).
Or perhaps I'm interpreting the README.md wording incorrectly. If shim cannot accommodate more than one certificate, I guess the alternative is to build with my certificate and then sign everything?
The text was updated successfully, but these errors were encountered: