Verification failed: (0x1A) Security Violation

[Pietro Saccardi]

I have rEFInd 0.13.3.1 installed, and I am trying to make it work with Secure Boot. My laptop seems to randomly re-enable Secure Boot (unsure if this is due to the system or the hardware), so I thought about giving it a shot.

I tried with PreLoader, but I was not very successful. So I tried focusing on Shim. I enrolled rEFInd's key, however boot still fails with Verification failed: (0x1A) Security Violation. If I try to continue, another message appears:

Failed to load image: Security Policy Violation
start_image() returned Security Policy Violation

I tried enrolling the key in multiple ways (by booting into the MOK manager and picking the refind.cer file, as well as using mokutil -i refind.cer, and confirming with a password). I can confirm that it is enrolled,

$ mokutil --test-key refind.cer
refind.cer is already enrolled
$ mokutil --list-enrolled | rg Issuer
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Issuer: CN=Roderick W. Smith, rodsmith@rodsbooks.com

I pulled shimx64.efi and mmx64.efi from shim-signed_1.40.7+15.4-0ubuntu9_amd64.deb, taking shimx64.efi.doublesigned.

I also checked that the binary I have installed is verifiable with that key:

# cd /boot/efi/EFI/refind/
# openssl x509 -in refind.cer -inform der -outform PEM > refind.pem
# sbverify --cert refind.pem grubx64.efi 
Signature verification OK

Any idea of what could be going wrong here?
I am available to recompile/customize rEFInd for further testing, if needed.