hi i need to add ONE custom driver module in "Linux Debian" 10 running secure boot.

i already signed the modules (VMware) following the online instruction and perceived the corresponding vm.der and vm.priv but cannot add it into the bios database.

the server is running an independent live distro so mok tool doesn't do it, whereas it is possible to add a single signature file to the DB part of secure boot variable.

i found HP document c05649759.pdf and managed to read out from bios PK KEK DB DBX with Get-Secure Boot UEFI, using Format-Secure Boot UEFI in PowerShell create a DB-entry but am not possible to find a way signing it via kek key as it must be in PKF format and may have a password fitting to it. the procedure should be to sign the entry with signtool.exe and save it with Set-Secure Boot UEFI into A DB.bin file which i can use using HP's BIOS option use own keys.

the idea is to leave PK KEK as default and only append ONE certificate to DB uploading it manually inti BIOS, being able to secure boot Linux distro and have signed modules ready for use!

PS: the command im fiddling with is ---> THIS ---> as i can only export the whole DB.bin from default bios and don't have access to the implemented Microsoft kek.pfx that is required for signing

signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f .\KEK.PFX /p NewHpDb_SigList_Serialization_for_DB.bin

any ideas would be helpful