The keys under this directory are the public keys used in the verification process of secure boot process for StarlingX debian. Keys Introduction: tis-boot.crt: it is the public key flashed into UEFI to verify bootx64.efi (signed shim image shimx64.efi); tis-shim.der: it is the public key used by shim to verify grubx64.efi (signed grub image) and mmx64.efi (signed shim tool image); boot_pub_key: it is the public key used by grub to verify signed kernel image and initramfs image and efitools image and so on. TiBoot.crt: it is the same pub key with tis-boot.crt (pem) as a der format. It is installed as /CERTS/TiBoot.crt in the efi.img which is in the iso image. The following ways can be used to create substitute keys: (1)example to create tis-boot.crt/TiBoot.crt openssl req -new -x509 -newkey rsa:2048 -keyout BOOT.priv -outform DER -out BOOT.der -days 36500 -subj "/CN=My Boot/" -nodes openssl x509 -inform der -in BOOT.der -out BOOT.pem cp BOOT.pem tis-boot.crt cp BOOT.priv tis-boot.key cp BOOT.der TiBoot.crt The tis-boot.crt and tis-boot.key are used to sign images mentioned above. The tis-shim.crt/tis-shim.der/tis-shim.key can be created in the same way. (2)example to create boot_pub_key ************ #!/bin/bash key_dir="./" priv_key="${key_dir}/BOOT-GPG-PRIVKEY-SecureBootCore" pub_key="${key_dir}/BOOT-GPG-KEY-SecureBootCore" name_real="SecureBootCore" pw="PASSWORD" USE_PW="Passphrase: PASSWORD" cat >"${key_dir}/gen_keyring" < "${pub_key}" gpg --homedir "${key_dir}" --export-secret-keys --pinentry-mode=loopback --passphrase "${pw}" --armor "${name_real}" > "${priv_key}" gpg --homedir "${key_dir}" --export "${name_real}" > ${key_dir}/boot_pub_key ************ The BOOT-GPG-PRIVKEY-SecureBootCore is used to sign images mentioned above.