I'm not sure whether there's a guide for this but I'd like to know the detailed steps (step-by-step guide perhaps?) involved in achieving the following:
- Re-sign shim with a custom CA private key, but still let shim to use Fedora boot CA public key to verify the kernel components for Secure Boot.
- Replace Microsoft's key stored in the firmware with the corresponding custom CA public key whose private key was used to sign shim.
The main goal that I want to achieve is to replace the built-in Microsoft's CA certificate stored in the firmware, in order to forbid Microsoft-signed OS bootloaders from being executed, and still use the UEFI's secure boot functionality to boot up F19. The general overview seems to be outlined in this link, but I'm not able to find any detailed guide to do this.
Best Answer
I think you can follow below process :
But I am afraid that removing MS certificate from shim.efi might break. You might be interested in reading this link for more details.
I have taken few points below for your reference :
Point#1
Point#2 :