Hi, Am Thu, 6 Aug 2020 17:24:08 +0000 schrieb Jeremy Stanley <fungi@yuggoth.org>: > The idea is that UEFI/BIOS checks the signature for GRUB before > executing it, and does so instructing GRUB to verify the signature > for its config. GRUB then checks the signatures on the kernel and > initrd before handing off control. To alter GRUB or its > configuration or the kernel or initrd ultimately (in theory, barring > bugs like the "Boot Hole" vulnerability everyone was talking about > over the weekend) you'll have to guess the BIOS password or have > access to reflash it with your own. Ideally this tampering also > invalidates cryptographic attestation for the entire chain, which > the user should then be able to detect. Are you talking about the Debian default setup or some custom setup? I don't really see how the Debian setup can do this, because the grub configuration and the initrd are generated on the end user machine. By default Debian doesn't enroll a MOK, so I don't see how the end user machine would sign the grub configuration and the initrd, as there is simply no key available that would be accepted by the UEFI. Regards Sven
Attachment:
pgp80LNTaXcUc.pgp
Description: Digitale Signatur von OpenPGP