1 |
On Tue, 1 Oct 2019 at 13:18, Mick <michaelkintzios@×××××.com> wrote: |
2 |
|
3 |
> When using Secure Boot the UEFI firmware check the binaries to be |
4 |
> loaded have been signed by Microsoft. The 'SHA256 verified' message |
5 |
> indicates the systemd-boot binary is signed using a key which is |
6 |
> ultimately signed by Microsoft and is contained in the whitelist |
7 |
> (MokList). If the verification failed I think it would spit something |
8 |
> back to allow you to enrol a valid hash or key. |
9 |
|
10 |
Scratch that - the message itself is a debug message following an |
11 |
early SHA-256 implementation self-test[1] before the systemd provided |
12 |
random seed file is loaded. All the Secure Boot signature checks that |
13 |
follow will utilise the random seed file systemd provides. |
14 |
|
15 |
[1] https://github.com/systemd/systemd/blob/4c858c6fd5d588b30d9851bb576520e74b041739/src/boot/efi/random-seed.c#L172 |
16 |
|
17 |
-- |
18 |
Regards, |
19 |
Mick |