Re: secure boot in grub
Philipp Hahn writes:
> Am 01.08.19 um 07:28 schrieb Ansgar:
>> If I enroll Debian's signing key and then boot grub directly, does that
>> actually disable secure boot? That looks like a bug to me.
> GRUB delegates the signature verification to SHIM - if you do not boot
> to SHIM first and let SHIM load GRUB, the SHIM provided service is
> missing and GRUB cannot verify the SB chain.
That's not correct; GRUB can still be used to chainload signed EFI
binaries via EFI's LoadImage() interface.
But from the source it looks like grub will correctly fail validation in
a secure boot environment with shim not available:
| if (!shim_lock)
| grub_dprintf ("linuxefi", "shim not available\n");
| return 0;
+---[ grub-core/loader/i386/efi/linux.c ]