Certain AMI firmwares have problems with PE binaries with too many sections, like the ones multi-profile UKIs might result in #64
Description
Hi,
I'm trying to reuse my existing enrolled SB keys to sign the generated particleos image, but that does not seem to work;
My current arch setup:
[UKI] SecureBootSigningTool=systemd-sbsign SignKernel=true SecureBootPrivateKey=/etc/kernel/secure-boot-private-key.pem SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem Splash=/usr/share/systemd/bootctl/splash-arch.bmp [PCRSignature:initrd] #Phases=enter-initrd PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key.pem PCRPublicKey=/etc/systemd/tpm2-pcr-public-key.pem I temporarily copied over the secureboot keys to my mkosi folder and made them world readable to be able to build the image without root (need to find a better long term solution for the keys).
$ cat mkosi.local.conf [Distribution] Distribution=arch [Config] Profiles=desktop,gnome,obs [Validation] SecureBootKey=secure-boot-private-key.pem SecureBootCertificate=secure-boot-certificate.pem SignExpectedPcrKey=secure-boot-private-key.pem SignExpectedPcrCertificate=secure-boot-certificate.pem VerityKey=secure-boot-private-key.pem VerityCertificate=secure-boot-certificate.pem The signature looks ok:
$ run0 sbverify --cert /etc/kernel/secure-boot-certificate.pem mkosi.output/ParticleOS_20250611135303_x86-64.efi Signature verification OK But I'm getting
...boot.c:2617@call_image_start: Error loading EFI binary \EFI\Linux\ParticleOS_20250611135303_x86-64.efi : Access denied Anything obviously stupid I'm doing? Thanks!!