openssl genrsa -aes256 -out db.key 2048
openssl genrsa -aes256 -out KEK.key 2048
openssl genrsa -aes256 -out PK.key 2048
openssl req -new -x509 -key db.key -subj '/O=maurus.networks GmbH/CN=XPS13_2 db/' -out db.crt
openssl req -new -x509 -key KEK.key -subj '/O=maurus.networks GmbH/CN=XPS13_2 KEK/' -out KEK.crt
openssl req -new -x509 -key PK.key -subj '/O=maurus.networks GmbH/CN=XPS13_2 PK/' -out PK.crt
cert-to-efi-sig-list PK.crt PK.esl
cert-to-efi-sig-list db.crt db.esl
cert-to-efi-sig-list KEK.crt KEK.esl
sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth
sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth
sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.authThe .auth files can be easily imported in the Dell BIOS by copying them to the EFI vfat partitions and clicking "import" in the BIOS.
Use 1000000 PBKDF2 iterations for the grub2 user password.
After running build-secureboot.sh add the signed GRUB UEFI loader like this:
# -e 3 will create an entry of the form "PciRoot(0x0)/Pci(...)" which is like Dell's BIOS does it, too.
# Dell's BIOS tends to "lose" UEFI entries once you plug in a UEFI USB stick when they're in a different
# form.
efibootmgr -c -l '\EFI\debian\shimx64.efi.signed' -L "debian secureboot" -e 3 -w -p 1 -d /dev/nvme0n1Once Secure Boot is enabled, only this UEFI entry will work. I would leave the "Debian package managed" UEFI entry alone. It can be useful to boot the system after turning Secure Boot off in the BIOS for a rescue attempt.