I think there is a typo in cyptdevice=…
Not sure why sbctl is not mentioned and how it compares to the manual process but otherwise great post! I’ll check out bgrt_disable…
Yes, there is a typo! Thanks :)
Explaining secure boot signing felt out of scope for the blog post, which is more about simplifying the boot process with UEFI stubs more so then trying to cram everything into one post about a reasonable boot setup. You’ll notice that I only briefly mention the systemd-boot features along with discoverable partitions as everything would just be a huuuggee information overload.
It says that grub doesn’t verify secure boot signatures on the files they run, but the last time I worked on it (2 years ago), the kernel had to be signed by the SB keys and all the files (initrd, configs, kernel, grub modules) had to be signed with GPG to work. Is this different now ?
There have been ~220 patches and around 30 (or something) CVEs for secure boot issues in GRUB so it’s more complicated. When I was looking at this around the same time (2019) grub allowed you to boot unsigned kernels.
These days grub isn’t suppose to be used in secure boot without utilizing a shim.