@scy go for it, configuration of that thing is sooo much cleaner than grub (and you can save another entry as the default entry by just pressing "d" in the boot menu)
I'm kind of a noob when it comes to how SB works, but the way I understand it, since sd-boot only works with UKIs, I need to combine Debian's signed kernel and initramfs into a UKI and thus self-sign anyway.
@scy@dunkelstern Ah sorry, then I skipped a lot of steps in my initial reply.
So from the wiki page, only shim is signed by Microsoft, the others (including GRUB) are signed by Debian, which tracks with what I know. So the Microsoft signed shim is required if you want to use SB but not roll your own keys, as most consumer hardware has only the Microsoft CA installed and not the Debian one. Instead, shim contains the Debian CA and then verifies the Debian signed GRUB, I believe. [1/3]
Add comment