Re: secure boot in grub (was: Re: PK/KEK for ovmf)
Am 01.08.19 um 07:28 schrieb Ansgar:
> dann frazier writes:
>>  https://salsa.debian.org/qemu-team/edk2/blob/debian/debian/PkKek-1.README
> I've no answer to your question right now, but the following sentence
> caught my attention:
> | When grub is run without the shim protocol registered, it assumes SB is
> | disabled and boots without verifying the kernel.
> Is this correct?
> If I enroll Debian's signing key and then boot grub directly, does that
> actually disable secure boot? That looks like a bug to me.
GRUB delegates the signature verification to SHIM - if you do not boot
to SHIM first and let SHIM load GRUB, the SHIM provided service is
missing and GRUB cannot verify the SB chain.
SB is more than just verifying a single signature and I consider it
reasonable for GRUB to not yet implement the SB protocol itself again.
So not a bug, but a reasonable design decision.