More a question than an issue. I'm trying to enroll a hash of my unified kernel EFI image (UKI) into MOK. The hash that the MOK screen computes is different than any SHA256 I can compute myself - I've tried sha256sum'ing the EFI image, pesign -h the image, appending iconv -t UCS-2 copy of the password in a file and catting that before/after the EFI image, but I cannot get the hashes to match.

Is there some way to compute this sha256 hash without running through manual MOK hash enrollment, then using mokutil to capture what it produced?

(The bigger issue that I'm trying to work around is that shim does not seem to let my UKI boot. I've signed the internal vmlinuz and the external EFI, but it shows my splash screen then gives "Bootloader has not verified loaded image. System is compromised. halting." I am using the hash as a workaround to this issue. If you have any tips on making that work, that's probably what I need. Even if I could see some debug output, that would be grand.)

Thanks for your advice - I'm grateful to have this shim tool.

Read the source code for pe.c, function generate_hash().

Specifically it skips

• the checksum
• the signature table

in the header, then it hashes each section in order

and then it is done.

FWIW, this is the same hash as generated by pesign:

[key 2]
  [SHA-256]
  96a5f3df19d44c12dd30dbefc84f498faced9ca7e136e7261066e536f0a14d57
jak@jak-t14-g3:~/Projects/Ubuntu/shim:master$ sudo pesign --hash  -i /boot/efi/EFI/ubuntu/grubx64.efi  -o /dev/stdout
hash: 96a5f3df19d44c12dd30dbefc84f498faced9ca7e136e7261066e536f0a14d57

with the caveat IIUC (taken from Foxboron/sbctl#85) that pesign does not hash the file correctly if it doesn't have any signatures.

For loading an UKI directly (or chainloading shims), you need to disable the ExitBootServices check - build shim with DISABLE_EBS_PROTECTION=1, otherwise you need to load your UKIs through a compliant boot loader.