[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Secure Boot Multi distro support

  Let's suppose that I am a final user that wants to multiboot Debian
and another distro.
  And let's suppose that I want to use Debian's Grub for that.

  Can't I, isn't it ?

  So at this Debconf18 UEFI talk:
( 8:30 and 17:30)
  we learn that Debian Grub only will boot into own Debian signed kernel
and it will not fallback to unsigned kernels.

So I guess that with this setup you could:

* Use default UEFI boot menu from your BIOS/UEFI vendor which might be ugly
* Use signed Secure Boot UEFI bootloader (maybe rEFInd)

I was asking myself if there would be a future initiative about an
organisation being recognised as secure.

So, let's see an example with Linux Foundation.
So Linux Foundation has a CA and signs:
* Debian
* Ubuntu
* SuSE
* RedHat

So, Debian decides Linux Foundation is secure enough so that:

Secure Boot -> shim (Debian signed) -> grub (Debian signed)

And then grub not only is able to boot kernels signed by Debian key but
also other kernels signed by other vendors keys which Linux Foundation
signed with its CA.

So you get Secure Boot Multi distro boot thanks to Grub.

I am pretty sure that this is not going to happen ever because it means
distributions trusting each others and once one distro key is
compromised then everything is compromised (asumming revoking is not in

But anyhow... has there been any talk with other distributions on how to
acomplish something similar to what I describe here?

Thank you very much.

Support free software. Donate to Super Grub Disk. Apoya el software
libre. Dona a Super Grub Disk. http://www.supergrubdisk.org/donate/

Reply to: