The methods and tools used in this post are the work of ValdikSS, based on their Super UEFIinSecureBoot Disk
This guide uses files from the Super UEFIinSecureBoot Disk - required files can be extracted from Super-UEFIinSecureBoot-Disk_minimal_v3-4.zip (7-zip can be used to extract the files - alternatively the core files have been extracted here for convenience).
The Super UEFIinSecureBoot Disk is a three stage boot loader. The following files are loaded on 64-bit systems -
\EFI\BOOT\bootx64.efi > \EFI\BOOT\grubx64.efi > \EFI\BOOT\grubx64_real.efi
List of files to be extracted from Super-UEFIinSecureBoot-Disk_minimal_v3-4.zip -
- \EFI\BOOT\BOOTX64.EFI - stage one 64-bit boot loader. Currently based on Red Hat shim (v15-8) from Fedora. This file is signed with a Microsoft key and is used for the initial boot stage 1
- \EFI\BOOT\grubx64.efi - stage 2 64-bit loader. Modified Linux Foundation PreLoader. This is used to circumvent UEFI Security Policy to chainload unsigned .efi files. This stage 2 loader (chainloaded by \EFI\BOOT\bootx64.efi) will chainload the stage 3 loader \EFI\BOOT\grubx64_real.efi
- \EFI\BOOT\mmx64.efi - 64-bit MOK (Machine Owner Key) manager. This program will automatically be loaded by the stage 1 loader if the firmware does not have an entry for the stage 2 loader enrolled in the UEFI Secure Boot key database. This process is only required once. If the key is enrolled successfully then the stage 2 loader will automatically load.
- \EFI\BOOT\bootia32.efi - Stage 1 32-bit boot loader. Refer to more detailed information in the \EFI\BOOT\bootx64.efi section above.
- \EFI\BOOT\grubia32.efi - Stage 2 32-bit boot loader. Refer to more detailed information in the \EFI\BOOT\grubx64.efi section above.
- \EFI\BOOT\mmia32.efi - 32-bit MOK (Machine Owner Key) manager. Refer to more detailed information in the \EFI\BOOT\mmx64.efi section above.
- \ENROLL_THIS_KEY_IN_MOKMANAGER.cer - Digital certificate for \EFI\BOOT\grubx64.efi\\EFI\BOOT\grubia32.efi. As these files do not contain an embedded Fedora certificate (required for the stage 1 loader to automatically load stage 2) MOK manager will be loaded and can be used to install this digital certificate, allowing the stage 2 loader to load successfully on subsequent boots.
- 64-bit - Extract bootx64.efi and rename as grubx64_real.efi (path \EFI\BOOT\grubx64_real.efi)
- 32-bit - Extract bootia32.efi and rename as grubx64_real.efi (path \EFI\BOOT\grubia32_real.efi)
\EFI\
\EFI\boot\
\EFI\boot\bootia32.efi
\EFI\boot\bootx64.efi
\EFI\boot\grubia32.efi
\EFI\boot\grubia32_real.efi
\EFI\boot\grubx64.efi
\EFI\boot\grubx64_real.efi
\EFI\boot\mmia32.efi
\EFI\boot\mmx64.efi
\ENROLL_THIS_KEY_IN_MOKMANAGER.cer
As the system is unlikely to have a digital key for the stage 2 boot loader (grubia32.efi\grubx64.efi) enroled in the firmware on first boot, the MOK manager will be launched automatically. The following steps show the process for installing the digital certificate (\ENROLL_THIS_KEY_IN_MOKMANAGER.cer) for the stage 2 loader (\EFI\BOOT\grubx64.efi)
- ERROR > the Verification Failed message is displayed when the stage 2 loader does not have a digital certificate enrolled in the UEFI Secure Boot key database. Seleck OK > Enter
- Shim UEFI key management > Press any key within the 10 second time limit to progress with MOK management and enrolling the digital certificate
- Perform MOK management > Select the option Enroll key from disk > Enter
- Select Key > Select the disk/volume containing your digital certificate/key file. On the test system only one volume was available - this was the EFI system partition with volume label NVME1
- Select Key > Browse to ENROLL_THIS_KEY_IN_MOKMANAGER.cer > ENTER
- Enroll MOK > Select Continue
- Enroll the key(s)? > Select Yes
- Perform MOK management > Select Reboot
Misty