Morten Linderud

Did you reset the keys? These should be empty and without the Microsoft CA. Some hardware vendors have terrible UI for reseting the keys and enabling user mode. See https://github.com/Foxboron/sbctl/issues/67#issuecomment-842525769

This is where I should start providing some debug tools for myself inside sbctl :) Output of `hexdump -C /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f` again please. Also do very that the PK and KEK...

This all looks correct to me. Output of `sbctl status` and `sbctl verify`. Did you sign the current boot chain?

I'm not sure what the issue is. I need to write some better debug tools in `sbctl` so we can verify that the efivarfs certificates corresponds to the certificate files....

What sort of computer is this? Desktop or laptop? I'm curious if the issue is signed firmware loaded on boot, the rejection of the db key or any of the...

This is on my todo. Before a 1.0 release I want native TPM support and go-piv support for yubikey at a minimum. But not sure about PKCS#11 and other engines...

>Any specifics on how one can support you with that? Well, join me and hack on crazy `go-uefi` stuff and figure out the abstractions. Test sbctl git master brache. Find...

Would it make sense to move this to it's own efivar? Or should it just be written to a directory?

Currently I have toyed with the idea of utilizing toml for this. I have also mocked up an example config. ``` [keys] keysize = 4096 [keys.PK] backend = "hw" [keys.KEK]...

@beroal It's not been implemented yet. Using current secure boot tooling without full disk encryption is a bit useless until HSM or TPM support is implemented.