[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure Boot and Grub monolithic build

Hello,

Am 16.08.2018 um 00:22 schrieb adrian15:
> So in Debconf18 UEFI talk we learn that Grub is built as a monolithic
> image with all of the modules.
> 
> https://mirror.netcologne.de/debian-video/2018/DebConf18/2018-07-31/report-from-the-debian-efi-team-about-th.webm
> ( 17:57 )
> 
> I'm not sure if it would be feasible technically but I might want to
> reuse that grub into Super Grub2 Disk. So I am interested in how this
> Grub has been built.
> 
> That is what changes have been made to the Grub package so that the Grub
> build is forced to built into a monolithic way.

the monolithic version is "on-top"; you still have the modular version,
but we're only allowed to sign the monolithic version as we're not
allowed to dynamically load unsigned GRUB modules; GRUB runs before
ExitBootServices() is called and so it has to follow the SecureBoot
guile lines.
Strictly speaking GRUB also supports singing its modules using PGP, but
we already have enough different signing mechanisms so that we currently
do not want to add a third; lets first get SecureBoot running and work
on improvements later.

> Can you please provide an link to some of the key commits on this
> change? Or maybe a link to repo / branch with them and I'll figure it
> out myself?

<https://salsa.debian.org/grub-team/grub/commit/bd2c77beadfc63bab443fe2ba164260b1da9efe8>

Philipp
Reply to: