You don't need a signed kernel at all, the standard Debian kernel can be enrolled into your motherboard's NVRAM as an authorised image by using the Linux Foundation's PreLoader & HashTool.
See here for more:
http://www.linuxfoundation.org/news-med ... pen-source
PreLoader.efi & HashTool.efi from here:
http://blog.hansenpartnership.com/linux ... -released/
Simply copy the GRUB .efi loader to the default loader file on the EFI system partition (/boot/efi in UEFI Debian systems):
Code: Select all
# mkdir -p /boot/efi/EFI/BOOT
# cp /boot/efi/EFI/debian/grubx64.efi /boot/efi/EFI/BOOT/loader.efi
Then copy over the HashTool.efi & PreLoader.efi (the PreLoader goes to the default loader location):
Code: Select all
cp HashTool.efi /boot/efi/EFI/BOOT/HashTool.efi
cp PreLoader.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
(The FAT filesystem is case-insensitive so capitalisation is unimportant)
For 32-bit systems, replace "X64.EFI" with "IA32.EFI"
You may need to re-jig the boot order afterwards with:
Replace "xxxx" with the bootnumber in the output of `efibootmgr` for the "default UEFI loader" (or similar, *not* the GRUB entry) NVRAM entry.
Of course, it is possible to sign your kernel images instead.
See the excellent Rod Smith site for more on this:
http://www.rodsbooks.com/efi-bootloader ... eboot.html