[bug #56887] grub-PC check_signatures=enforce support (non-EFI)

[adrelanos]

URL:
  <https://savannah.gnu.org/bugs/?56887>

                 Summary: grub-PC check_signatures=enforce support (non-EFI)
                 Project: GNU GRUB
            Submitted by: adrelanos
            Submitted on: Fri 13 Sep 2019 06:09:43 AM UTC
                Category: Security
                Severity: Major
                Priority: 5 - Normal
              Item Group: Feature Request
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 
                 Release: 2.02~rc1
         Reproducibility: Every Time
         Planned Release: None

    _______________________________________________________

Details:

Could you please make it possible to do signature verification with grub-pc
too?

Rationale:

We, the maintainers of Linux distributions that primarily run inside VMs
(Whonix; Kicksecure) would like to implement verified boot. Not necessarily
Secure Boot.

At the moment, there are no tools that can create VM images (with Debian
Linux) which support EFI booting. Also, support by virtualizers such as KVM,
Xen, VirtualBox for Secure Boot is either non-existing or undocumented.

Another reason is, that inside VMs we don’t necessarily need the
complexity of EFI.

Instead we could boot unverified (usual virtual BIOS legacy boot) from a
virtual, read-only (write protected) boot medium (such as ISO). That boot
loader on the initial boot disk (grub2) could then verify and chainload the
boot loader (grub2) on the main disk. Which then would go on to verify the
kernel. In result, we would have a verified boot sequence.




    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?56887>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/