[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[OT] Secure boot for Super Grub2 Disk plausible?


I am unsure if Super Grub2 Disk it's appropriated for requesting a Secure boot signature of it.

  I hope this is not too offtopic for you guys.

1. What is Super Grub2 Disk?

You can find extensive information of Super Grub2 Disk here: http://www.supergrubdisk.org/super-grub2-disk/ .

Technically it is a GNU/GRUB Version 2 based disk which have some custom configuration files (cfg). And what these configuration files do is very interesting in rescue scenarios:

* Everything option: Scans all the Operating Systems, and Kernels and present them to you so that you can boot the one you want to.
* 'Boot manually' entries which cover:
** Operating systems
** Extract entries from grub.cfg
** Run grub.cfg files
** Interpret menu.lst files
** Run core.img files
** 'Chainload' EFI files
** Search for loopback.cfg ISO based images in /boot-isos or /boot/boot-isos folder and present their contents.
* Additional entries for loading GRUB2's LVM, RAID or PATA support

2. My concerns about Super Grub2 Disk and Secure Boot

2.1. So if I add Secure Boot to Super Grub2 Disk I would like to be able to load non-signed kernels.

So I don't if it's possible although I know that Ubuntu guys let you boot unsigned Kernels.

If I'm not mistaken the workaround for this limitation that Ubuntu's grub2 (or maybe the pre-loader) does not let you overwrite some efi memory so that you cannot overwrite signatures. (Please correct me on technical details because I know I'm not being accurate with the Ubuntu explanation here.)

2.2. As opposed to other pre-loaders that Microsoft has signed the main purpose of Super Grub2 Disk is not to boot a signed kernel or operating system.

Not sure if the main purpose of a software matters in the Microsoft decision making.

2.3. One of the features from Super Grub2 Disk extract entries from cfg files when doing its 'Everything' scanning. Not sure if that could be used by some malicious virus to place some special cfg files in some specific place. You know, so that someone that uses Super Grub2 Disk can bootkit one of their OSes.

3. Why Secure Boot on Super Grub2 Disk?

So that it works in EFI machines that by default enforce Secure Boot.

4. Super Grub2 Disk and Debian.

This is not specific to my Secure boot concerns but, well, I hope some day to integrate Super Grub2 Disk into Debian. Last time I checked Debian I had problems with it because:

4.1. Debian packages do not provide a way of building an hybrid (both valid in i386-pc and efi machines) iso.

4.2. Debian GNU/GRUB Version 2 package version commit was behind what Super Grub2 Disk needed for it to work on a Mac-Intel system (The three partition types in a single iso hack if you know what I mean).

5. Do you think I would need to sign a pre-loader (like Shim) instead, some grub modules or the full ISO ?

6. I do not discard having an option so that the user can enforce Signed-Booting (I.e. would refuse to boot a non-signed kernel). Do you know if it's that even possible in the Ubuntu's grub version?


So... As a summary what I want to know if what the Ubuntu people did in order to be able to boot non-signed kernels would work for me for these two purposes:

1) Get the signature approved from Microsoft
2) Do not lose current Super Grub2 Disk functionality (Boot as many OSes from it as you can do right now).

Thank your for your feedback.

Support free software. Donate to Super Grub Disk. Apoya el software libre. Dona a Super Grub Disk. http://www.supergrubdisk.org/donate/

Reply to: