[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure Boot and Grub monolithic build


Am 16.08.2018 um 09:18 schrieb Philipp Hahn:
> Am 16.08.2018 um 00:22 schrieb adrian15:
>> So in Debconf18 UEFI talk we learn that Grub is built as a monolithic
>> image with all of the modules.
>> https://mirror.netcologne.de/debian-video/2018/DebConf18/2018-07-31/report-from-the-debian-efi-team-about-th.webm
>> ( 17:57 )
>> I'm not sure if it would be feasible technically but I might want to
>> reuse that grub into Super Grub2 Disk. So I am interested in how this
>> Grub has been built.
>> That is what changes have been made to the Grub package so that the Grub
>> build is forced to built into a monolithic way.
> the monolithic version is "on-top"; you still have the modular version,
> but we're only allowed to sign the monolithic version as we're not

correction: we're not allowed to sign the *modular* version ...

> allowed to dynamically load unsigned GRUB modules; GRUB runs before
> ExitBootServices() is called and so it has to follow the SecureBoot
> guile lines.
> Strictly speaking GRUB also supports singing its modules using PGP, but
> we already have enough different signing mechanisms so that we currently
> do not want to add a third; lets first get SecureBoot running and work
> on improvements later.


Reply to: