# Secure Boot and custom certificates Let's say you have a laptop with Windows installed on it by its manufacturer (so called OEM version). You want to keep Secure Boot enabled, but you also want to boot some custom Linux from USB drive or through the network via PXE. ![Secure Boot Enabled](/files/kmcrBDHiLCT0BGaJfvPP) You need to sign a kernel, otherwise you get this error {% content-ref url="/pages/-Mk5fdZpVXywzKDDluc3" %} [bzImage has invalid signature](/pxe-boot/secure-boot-enabled/bzimage-has-invalid-signature.md) {% endcontent-ref %} You normally would follow instructions like this , where new signature is installed by mokutil, but you are on Windows right now. According to Eclypsium in there is Kaspersky Rescue Disk 18 that bypasses Secure Boot. Official build is hardened with signatures, but hacky version still can be found online (). It will work only if you don't update your Windows (since somewhere like 2020), because UEFI Forum already have this bootloader in the revocation list () ``` 30: {microsoft} {sha256} 81d8fb4c9e2e7a8225656b4b8273b7cba4b03ef2e9eb20e0a0291624eca1ba86 ``` Probably a great article , but good God Roderick W. Smith, I fall asleep after each paragraph, I don't know which note is important, I read information and don't know how to apply it. ## Packages to your system * sbsigntools * pesign ## Add to ESP partition * public key (for MOK), * shimx64.efi (Secure boot solution from Matthew J. Garrett), * mmx64.efi (mm stands for MOK Manager), * grubx64.efi (GRUB 2) Where to get this files? ``` openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt \\ -nodes -days 3650 -subj "/CN=Your Name/" openssl x509 -in MOK.crt -out MOK.cer -outform DER ``` ```bash git clone https://github.com/rhboot/shim.git cd shim git submodule update make ``` Following tutorial from [https://doc.opensuse.org/documentation/leap/reference/html/book-reference/cha-uefi.html]() ``` openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 3650 -subj "/CN=Ethogaming/" openssl x509 -in MOK.crt -out MOK.cer -outform DER openssl pkcs12 -export -inkey MOK.key -in MOK.crt \ -name kernel_cert -out cert.p12 certutil -d . -N pk12util -d . -i cert.p12 pesign -n . -c kernel_cert -i bzImage -o vmlinuz.signed -s ``` Getting an error ``` pesign: could not parse signature list in EFI binary ``` Later I realized () that my kernel should have `CONFIG_EFI_STUB` enabled Finding another tutorials * * * And trying ``` openssl x509 -in MOK.cer -inform DER -outform PEM -out MOK.pem sbsign --key MOK.key --cert MOK.pem --output bzImage.signed bzImage ``` And getting an error {% content-ref url="/pages/-MgjMg0IYTDtEfQ86RoA" %} [Invalid DOS header magic](/pxe-boot/troubleshooting/invalid-dos-header-magic.md) {% endcontent-ref %} ### Sign the kernel ``` sbsign --key ~/efitools/MOK.key --cert ~/efitools/MOK.crt \\ --output vmlinuz-signed.efi vmlinuz.efi warning: file-aligned section .text extends beyond end of file warning: checksum areas are greater than image size. Invalid section table? ``` ### How to compile grubx64.efi bug git clone patch --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://neupokoev-n.gitbook.io/pxe-boot/secure-boot-enabled.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.