New comment by sgn on void-packages repository https://github.com/void-linux/void-packages/issues/12495#issuecomment-664795753 Comment: On 2020-07-27 22:50:51-0700, Érico Nogueira Rolim wrote: > Signing the shim is a pain, requires payment, and then I believe we'd also have to sign the kernel *and* modules, which is another source of pain, so I don't think we should go that route. > > @unixandria-xda From my experience, the easiest route for Secure Boot is simply to not depend on GRUB: > > - create SB keys (using openssl commands or something like https://github.com/Foxboron/sbctl - which unfortunately doesn't have a release yet) > - configure dracut for UEFI bundle generation (using #22484, manual And #22484 is expected to be merged, soon. > configuration or something like > https://github.com/zdykstra/zfsbootmenu - this last one is shipped > on Void): this will create a bundle that contains the kernel, the > cmdline, and the initramfs > - add the `secureboot_*` options to your dracut config, so dracut > can sign the bundle at creation time; or extend the sbsigntool hook > to sign UEFI bundles (#23688 ?); or create a sbctl hook to sign them FWIW, #23688 will be updated once #22484 has been merged. > (not supported yet) > - boot into the UEFI bundle directly (could have efibootmgr > integration?) or into something like rEFInd, whose `refind-install` > script can sign the refind executable In order to do secure boot with rEFInd, we need to sign both rEFInd efi bootloader, and the kernel. The refind-install only sign rEFInd binaries and other binaries shipped by them. We still need to sbsigntool/other hooks to sign newly installed kernel. > > The only part that I don't understand much about is enrolling keys, because I do it through my own firmware. `efitools` provides userspace tools and `efitools-efi` package provides EFI binaries to do it. -- Danh