Package talk:Shim
this needs to be more scriptified....
mount /boot emerge sys-boot/mokutil sys-boot/shim
- create new key
mkdir -p /var/lib/shim-signed/mok ; cd /var/lib/shim-signed/mok openssl req -new -x509 -newkey rsa:4096 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=Funtoo Secure Boot/" openssl x509 -inform DER -in MOK.der -out MOK.pem
- copy shim and key to EFI dir
mkdir -p /boot/EFI/BOOT cp /var/lib/shim-signed/mok/MOK.der /boot/funtoo.der cp /usr/share/shim/BOOTX64.EFI /boot/EFI/BOOT cp /usr/share/shim/mmx64.efi /boot/EFI/BOOT mokutil --import /var/lib/shim-signed/mok/MOK.der grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="BOOT" --recheck /dev/sdb --sbat /boot/sbat.csv sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem --output /boot/grub/x86_64-efi/grub.efi-signed /boot/grub/x86_64-efi/grub.efi sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem --output /boot/EFI/BOOT/grubx64.efi-signed /boot/EFI/BOOT/grubx64.efi sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem --output /boot/kernel-debian-sources-x86_64-5.18.16_p1-signed /boot/kernel-debian-sources-x86_64-5.18.16_p1 mv /boot/grub/x86_64-efi/grub.efi-signed /boot/grub/x86_64-efi/grub.efi mv /boot/EFI/BOOT/grubx64.efi-signed /boot/EFI/BOOT/grubx64.efi mv /boot/kernel-debian-sources-x86_64-5.18.16_p1-signed /boot/kernel-debian-sources-x86_64-5.18.16_p1 genkernel --loglevel=0 --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* | tail -c +17) initramfs efibootmgr --delete-bootnum --bootnum 2001 efibootmgr --unicode --create --label "Shim" --disk /dev/sdb --part 1 --loader /boot/EFI/BOOT/BOOTX64.EFI umount /boot
ego boot update