secure boot w/ Mender bzImage fails validation #dunfell
We have an Intel Elkhart Lake device that we are trying to get Secure Boot (via meta-secure-core/meta-efi-secure-boot SELoader) working on using the Dunfell release. This device uses Mender for updates via USB. We have Secure Boot working successfully on a similar device, but that device does not employ Mender.
On the HDD image, /boot/bzImage and /boot/bzImage.p7b (the detached digital signature) are present, as are the set of GRUB artifacts in /boot/efi/BOOT/EFI. As a side note, we do not use an initramfs.
Grub and grub.cfg validate on boot, but /boot/bzImage does not.
I've read that SELoader can't access anything outside of the /efi partition. If that's correct, how do we work around this issue?
Thanks for any help, and let me know if you need further information.