Re: [Long] UEFI support
On Mon, Jan 09, 2012 at 07:04:49PM +0000, Tanguy Ortolo wrote:
> Iustin Pop, 2012-01-09 19:57+0100:
> > Hmm, I might misunderstand this, but wouldn't just the grub binary need
> > to be signed? And this binary then would parse the grub.cfg file and
> > allow various kernels to boot.
> Negative. Or rather, at least not the way GRUB currently works, since it
> embeds in its core image just the modules required to access the file
> system where it will find its configuration and all its other modules.
In any case, GRUB allows loading arbitrary payloads and that defeats
the whole purpose of Secure Boot. You either have to do signature
checking all the way (bootloader checks kernel; kernel checks modules)
or disable Secure Boot.
The Linux Foundation and Red Hat separately issued statements on
how they think OEMs should implement Secure Boot so as to support
free operating systems and user choice:
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus