pesign

[Mr Dash Four]

> You'd have to write some code for both grub2 and shim.  Grub2 doesn't
> actually do the authentication itself, it calls back to shim to do that.
> And shim is looking in two databases for certs/hashes.
>
> You'd probably need to rebuild shim with your personal key embedded,
> and modified to always verify.  Then you'd need to modify grub2 to
> always call shim to do verification and install that.  I honestly have
> no idea how difficult that would be.
>   
Looks complicated - I'll keep that option in mind as "plan B" if I get 
stuck and my "plan A" is not feasible!

> It's carried in the patchset and put in
> Documentation/kernel-parameters.txt.  It's called "secureboot_enable=".
>   
Brilliant, thanks!

> You should be able to disable Secure Boot in the firmware, and reboot
> back into setup mode.  It should allow you to delete all the existing
> keys at that point.  Though you'd actually need to have a machine that
> has Secure Boot implemented in the first place.
>   
Aha! I wasn't aware of that (it tells me I could disable it, but I 
wasn't aware that I could delete all the keys... nice!).

> You can.  In order to be specification compliant, the machine needs to
> allow you to disable Secure Boot.
That is indeed the case!

>   Once that's done, it'll enter setup
> mode.  Once in that mode, I believe there are even some open source
> tools that will help you enroll keys, etc.
>   
I'll dig that up when I have more time. If I could manage to get that 
working the rest should fall into place quite easily and I won't need to 
mess around with shim/grub2. Thanks for that Josh, much appreciated!