-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
shim to GRUB multi-signature support & policy
-
Important
-
rhel-bootloader
-
ssg_core_services
-
8
-
False
-
-
Unspecified
-
Unspecified
-
Unspecified
shim honors both signatures on a dual-signed GRUB, and it boots even if one of the certs is in dbx.
[root@fedora ~]# mokutil --sb-state SecureBoot enabled [root@fedora ~]# mokutil --pk fbb731c779 Martas Platform key [root@fedora ~]# mokutil --kek d5114bc1e9 Martas Key Exchange Key [root@fedora ~]# mokutil --db fd0dcbe5bf Signature Database key 1 7a64fdcc69 GRUB Signing Key 1 52c2eeec55 Kernel Signing Key 1 [root@fedora ~]# mokutil --dbx 1f9b8eb301 GRUB Signing Key 2 [root@fedora ~]# pesign -S -i /boot/efi/EFI/fedora/grubx64.efi --------------------------------------------- certificate address is 0x7fd965917008 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is GRUB Signing Key 1 No signer email address. Signing time: Fri May 16, 2025 There were certs or crls included. --------------------------------------------- certificate address is 0x7fd9659178a0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is GRUB Signing Key 2 No signer email address. Signing time: Fri May 16, 2025 There were certs or crls included. ---------------------------------------------
This is desired behavior at the outset, so we need to develop a mechanism to enforce using a specific key that does not rely on dbx, for the PQ-only scenario.
