Been down the rabbit hole lately of UEFI Secure Boot issues, and decided to write an overview of how it works out-of-the-box in the excellent Debian-based Linux Mint LMDE 6.

Have mostly been researching this stuff as I was looking to replace GRUB entirely with systemd-boot on one of my systems. Will likely write a follow-up piece documenting that journey if I think it’d be interesting to some nerds out there.

  • witx@lemmy.sdf.org
    link
    fedilink
    arrow-up
    2
    arrow-down
    2
    ·
    1 year ago

    The EFI binary is signed by a private key, whose public key signature is present in the trusted Signature Database (db).

    Shouldn’t it be the opposite? i.e signed by a public key?

    • Hugin@lemmy.world
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      Nope. You sign with the private key and verify with the public key. Basically you use the private key to do stuff only you should be able to do and the public key is used by the public to verify it was you who did it.