Weired secure boot issue (can't locate kernel)

[Joel Köper]

Hi,

I just replaced grub2 with rEFInd on my pc because I was hoping to get
better results when enabling secure boot.

The setup of rEFInd itself went well (it boots just fine), however when
I switch on secure boot rEFInd suddenly fails to find my kernel (Error:
Not Found while loading vmlinuz-linux-zen).

I installed rEFInd via refind-install --shim /usr/share/shim-signed/shimx64.efi --usedefault /dev/nvme1n1p1 --localkeys --alldrivers and have enrolled the MOK cert.

My boot entry is the following:

menuentry "Arch Linux Zen" {
     icon /EFI/refind/icons/os_arch.png
#    volume 276e79d0-7d0b-4e4b-bd39-bc9fd21e1d53
     volume root
     loader /@/boot/vmlinuz-linux-zen
     initrd /@/boot/initramfs-linux-zen.img
     options "root=PARTUUID=276e79d0-7d0b-4e4b-bd39-bc9fd21e1d53 rw 
add_efi_memmap rootflags=subvol=@ initrd=@\boot\amd-ucode.img 
lsm=landlock,lockdown,yama,integrity,apparmor,bpf quiet loglevel=0 
systemd.show_status=auto rd.udev.log_level=0 splash 
resume=UUID=0a3a4e31-3a5f-4dff-8ef2-093faa15de19"
     submenuentry "Boot - fallback" {
         initrd /@/boot/initramfs-linux-zen-fallback.img
     }
     submenuentry "Boot - terminal" {
         add_options "systemd.unit=multi-user.target"
     }
}

Does anybody know how to help me get secure boot running?
(Unfortunately, disabling it isn't really an option)

Thank you for looking into my issue!

[Joel Köper]

I managed to find my Issue.

There was a brief flash of text (hat to take a photo to read it) before rEFInd came up telling me that the verification of the fs drivers failed.

As it turned out, I enrolled the wrong MOK cert.
I followed the instructions and enrolled the cert that came with rEFInd (/usr/share/refind/keys/refind.cer) instead of the one generated by refind-install --local-keys (/etc/refind.d/keys/refind_local.cer).

Now it works just fine and is (in retrospect) so much easier to setup with shim and secure boot than grub.

Hope this will help somebody else with their install.