[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #65103] no way to disable secure boot signature for images to boot
From: |
akallabeth |
Subject: |
[bug #65103] no way to disable secure boot signature for images to boot from grub |
Date: |
Mon, 1 Jan 2024 06:04:46 -0500 (EST) |
URL:
<https://savannah.gnu.org/bugs/?65103>
Summary: no way to disable secure boot signature for images
to boot from grub
Group: GNU GRUB
Submitter: akallabeth
Submitted: Mon 01 Jan 2024 11:04:44 AM UTC
Category: Security
Severity: Major
Priority: 5 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Release: other
Release:
Discussion Lock: Any
Reproducibility: Every Time
Planned Release: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Mon 01 Jan 2024 11:04:44 AM UTC By: akallabeth <akallabeth>
My setup is as follows:
1. I have a grubx64.efi signed with my own MOK secure boot keys
2. I have enabled signature verification with grub-mkstandalone --pubkey <key>
and set check_signatures=enforce
3. Booting without secure boot works fine, the grub signature checks are
enforced (can not load any image that does not have a detached signature with
my grub key id)
4. If I enable secure boot each image must also be signed with my MOK keys or
the image will not boot
5. I have tried to build the grub image with and without --disable-shim-lock
I have not found a way to disable this behavior and let grub boot arbitrary
images that are only signed with the grub key.
The secure boot keys are a no longer needed (and in my case only used to make
manipulation of the grub image harder).
All further operations should only depend on the grub signature verification
for my setup.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?65103>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- [bug #65103] no way to disable secure boot signature for images to boot from grub,
akallabeth <=