Re: secure boot in grub

To: debian-efi@lists.debian.org
Subject: Re: secure boot in grub
From: Ansgar <ansgar@debian.org>
Date: Thu, 01 Aug 2019 09:11:52 +0200
Message-id: <[🔎] 87ef25tl53.fsf@43-1.org>
In-reply-to: <[🔎] 36c582c3-07b1-84ad-f481-cfe6335901cd@pmhahn.de> (Philipp Hahn's message of "Thu, 1 Aug 2019 08:19:49 +0200")
References: <20190731221256.GA21664@xps13.dannf> <[🔎] 874l31xxly.fsf@43-1.org> <[🔎] 36c582c3-07b1-84ad-f481-cfe6335901cd@pmhahn.de>

Philipp Hahn writes:
> Am 01.08.19 um 07:28 schrieb Ansgar:
>> If I enroll Debian's signing key and then boot grub directly, does that
>> actually disable secure boot?  That looks like a bug to me.
>
> GRUB delegates the signature verification to SHIM - if you do not boot
> to SHIM first and let SHIM load GRUB, the SHIM provided service is
> missing and GRUB cannot verify the SB chain.

That's not correct; GRUB can still be used to chainload signed EFI
binaries via EFI's LoadImage() interface.

But from the source it looks like grub will correctly fail validation in
a secure boot environment with shim not available:

+---
|   if (!shim_lock)
|     {
|       grub_dprintf ("linuxefi", "shim not available\n");
|       return 0;
|     }
+---[ grub-core/loader/i386/efi/linux.c ]

Ansgar

Reply to:

References:
- secure boot in grub (was: Re: PK/KEK for ovmf)
  - From: Ansgar <ansgar@debian.org>
- Re: secure boot in grub (was: Re: PK/KEK for ovmf)
  - From: Philipp Hahn <pmhahn@pmhahn.de>

Prev by Date: Re: secure boot in grub (was: Re: PK/KEK for ovmf)
Next by Date: Processed: raise severity of GCC 9 ftbfs issues (GCC 9 is now the default)
Previous by thread: Re: secure boot in grub (was: Re: PK/KEK for ovmf)
Next by thread: Processed: raise severity of GCC 9 ftbfs issues (GCC 9 is now the default)
Index(es):
- Date
- Thread