secure boot in grub (was: Re: PK/KEK for ovmf)

To: debian-efi@lists.debian.org
Subject: secure boot in grub (was: Re: PK/KEK for ovmf)
From: Ansgar <ansgar@debian.org>
Date: Thu, 01 Aug 2019 07:28:57 +0200
Message-id: <[🔎] 874l31xxly.fsf@43-1.org>
In-reply-to: <20190731221256.GA21664@xps13.dannf> (dann frazier's message of "Wed, 31 Jul 2019 16:12:56 -0600")
References: <20190731221256.GA21664@xps13.dannf>

Hi,

dann frazier writes:
> [1] https://salsa.debian.org/qemu-team/edk2/blob/debian/debian/PkKek-1.README

I've no answer to your question right now, but the following sentence
caught my attention:

+---
| When grub is run without the shim protocol registered, it assumes SB is
| disabled and boots without verifying the kernel.
+---

Is this correct?

If I enroll Debian's signing key and then boot grub directly, does that
actually disable secure boot?  That looks like a bug to me.

Ansgar

Reply to:

Follow-Ups:
- Re: secure boot in grub (was: Re: PK/KEK for ovmf)
  - From: Philipp Hahn <pmhahn@pmhahn.de>

Next by Date: Re: secure boot in grub (was: Re: PK/KEK for ovmf)
Next by thread: Re: secure boot in grub (was: Re: PK/KEK for ovmf)
Index(es):
- Date
- Thread