[SOLVED] Error following the Gentoo Wiki Secure Boot guide

Message

nvaert1986 · Post by **nvaert1986** » Fri Jul 26, 2024 1:36 pm

Hello everybody,

I'm trying to set-up Secure Boot on my machine correctly, but I'm receiving an error during the step: Signing the Signature Lists with the command to sign the signature databases.

Code: Select all

for db_type in db dbx; do sign-efi-sig-list -k custom_config/${db_type}.key -c custom_config/KEK.crt $db_type ${db_type}.esl ${db_type}.auth ; done

Code: Select all

Timestamp is 2024-7-26 15:33:38
Authentication Payload size 5991
Enter PEM pass phrase:
40A7E56B1F7F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:../openssl-3.0.13/crypto/x509/x509_cmp.c:408:
40A7E56B1F7F0000:error:1080007F:PKCS7 routines:PKCS7_sign_add_signer:private key does not match certificate:../openssl-3.0.13/crypto/pkcs7/pk7_smime.c:125:
Signature of size 22
Signature at: 40
Timestamp is 2024-7-26 15:33:40
Authentication Payload size 20432
Enter PEM pass phrase:
40F7CB7DB97F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:../openssl-3.0.13/crypto/x509/x509_cmp.c:408:
40F7CB7DB97F0000:error:1080007F:PKCS7 routines:PKCS7_sign_add_signer:private key does not match certificate:../openssl-3.0.13/crypto/pkcs7/pk7_smime.c:125:
Signature of size 22
Signature at: 40

I've tried it twice with creating clean keys. What could be the cause of this error?

nvaert1986 · Post by **nvaert1986** » Mon Aug 05, 2024 11:39 am

Bump: Anyone?

salahx · Post by **salahx** » Mon Aug 05, 2024 10:53 pm

I think that article has a few error has a few error. The DB and DBX values should not have their own keys, rather, they should be signed by your KEK. So the line should be:

Code: Select all

for db_type in db dbx; do sign-efi-sig-list -k custom_config/KEK.key -c custom_config/KEK.crt $db_type ${db_type}.esl ${db_type}.auth ; done

New at Gentoo · Post by **pietinger** » Mon Aug 05, 2024 11:33 pm

Or simply use the script from Rod Smith (has no use of dbx):
viewtopic-p-8492354.html#8492354

nvaert1986 · Post by **nvaert1986** » Tue Aug 06, 2024 7:59 am

After doing some more searching on the internet (facing issues with TPM), using grub and checking other available options, I have decided not to use custom secure boot keys, but to go the Shim / MOK route using a combination of the following articles: https://wiki.gentoo.org/wiki/Shim and https://www.setphaserstostun.org/posts/ ... shim-grub/ with some custom scripting as this leaves the default Secure Boot keys intact and I'm still able to automate the process using the "secureboot" USE flag which will automatically sign the kernel and kernel modules and enhance the security this way.