[OT] Secure boot for Super Grub2 Disk plausible?
Hi,
I am unsure if Super Grub2 Disk it's appropriated for requesting a
Secure boot signature of it.
I hope this is not too offtopic for you guys.
1. What is Super Grub2 Disk?
You can find extensive information of Super Grub2 Disk here:
http://www.supergrubdisk.org/super-grub2-disk/ .
Technically it is a GNU/GRUB Version 2 based disk which have some custom
configuration files (cfg). And what these configuration files do is very
interesting in rescue scenarios:
* Everything option: Scans all the Operating Systems, and Kernels and
present them to you so that you can boot the one you want to.
* 'Boot manually' entries which cover:
** Operating systems
** Extract entries from grub.cfg
** Run grub.cfg files
** Interpret menu.lst files
** Run core.img files
** 'Chainload' EFI files
** Search for loopback.cfg ISO based images in /boot-isos or
/boot/boot-isos folder and present their contents.
* Additional entries for loading GRUB2's LVM, RAID or PATA support
2. My concerns about Super Grub2 Disk and Secure Boot
2.1. So if I add Secure Boot to Super Grub2 Disk I would like to be able
to load non-signed kernels.
So I don't if it's possible although I know that Ubuntu guys let you
boot unsigned Kernels.
If I'm not mistaken the workaround for this limitation that Ubuntu's
grub2 (or maybe the pre-loader) does not let you overwrite some efi
memory so that you cannot overwrite signatures. (Please correct me on
technical details because I know I'm not being accurate with the Ubuntu
explanation here.)
2.2. As opposed to other pre-loaders that Microsoft has signed the main
purpose of Super Grub2 Disk is not to boot a signed kernel or operating
system.
Not sure if the main purpose of a software matters in the Microsoft
decision making.
2.3. One of the features from Super Grub2 Disk extract entries from cfg
files when doing its 'Everything' scanning. Not sure if that could be
used by some malicious virus to place some special cfg files in some
specific place. You know, so that someone that uses Super Grub2 Disk can
bootkit one of their OSes.
3. Why Secure Boot on Super Grub2 Disk?
So that it works in EFI machines that by default enforce Secure Boot.
4. Super Grub2 Disk and Debian.
This is not specific to my Secure boot concerns but, well, I hope some
day to integrate Super Grub2 Disk into Debian. Last time I checked
Debian I had problems with it because:
4.1. Debian packages do not provide a way of building an hybrid (both
valid in i386-pc and efi machines) iso.
4.2. Debian GNU/GRUB Version 2 package version commit was behind what
Super Grub2 Disk needed for it to work on a Mac-Intel system (The three
partition types in a single iso hack if you know what I mean).
5. Do you think I would need to sign a pre-loader (like Shim) instead,
some grub modules or the full ISO ?
6. I do not discard having an option so that the user can enforce
Signed-Booting (I.e. would refuse to boot a non-signed kernel). Do you
know if it's that even possible in the Ubuntu's grub version?
------------------
So... As a summary what I want to know if what the Ubuntu people did in
order to be able to boot non-signed kernels would work for me for these
two purposes:
1) Get the signature approved from Microsoft
2) Do not lose current Super Grub2 Disk functionality (Boot as many OSes
from it as you can do right now).
Thank your for your feedback.
adrian15
--
Support free software. Donate to Super Grub Disk. Apoya el software
libre. Dona a Super Grub Disk. http://www.supergrubdisk.org/donate/
Reply to: