[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure boot in grub



Philipp Hahn writes:
> Am 01.08.19 um 07:28 schrieb Ansgar:
>> If I enroll Debian's signing key and then boot grub directly, does that
>> actually disable secure boot?  That looks like a bug to me.
>
> GRUB delegates the signature verification to SHIM - if you do not boot
> to SHIM first and let SHIM load GRUB, the SHIM provided service is
> missing and GRUB cannot verify the SB chain.

That's not correct; GRUB can still be used to chainload signed EFI
binaries via EFI's LoadImage() interface.

But from the source it looks like grub will correctly fail validation in
a secure boot environment with shim not available:

+---
|   if (!shim_lock)
|     {
|       grub_dprintf ("linuxefi", "shim not available\n");
|       return 0;
|     }
+---[ grub-core/loader/i386/efi/linux.c ]

Ansgar


Reply to: