Looks like UKI include the initrd in what EFI checks the signature of.
Add signature checking for grub.cfg (instead of just the EFI shim) but that requires enrolling a local key
Add initrd signatures to grub.cfg
Looks like UKI include the initrd in what EFI checks the signature of.
Add signature checking for grub.cfg (instead of just the EFI shim) but that requires enrolling a local key
Add initrd signatures to grub.cfg