bug-grub
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #65103] no way to disable secure boot signature for images to boot

From: akallabeth
Subject: [bug #65103] no way to disable secure boot signature for images to boot from grub
Date: Mon, 1 Jan 2024 06:04:46 -0500 (EST) 
URL:
  <https://savannah.gnu.org/bugs/?65103>

                 Summary: no way to disable secure boot signature for images
to boot from grub
                   Group: GNU GRUB
               Submitter: akallabeth
               Submitted: Mon 01 Jan 2024 11:04:44 AM UTC
                Category: Security
                Severity: Major
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
                 Release: other
                 Release: 
         Discussion Lock: Any
         Reproducibility: Every Time
         Planned Release: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Mon 01 Jan 2024 11:04:44 AM UTC By: akallabeth <akallabeth>
My setup is as follows:

1. I have a grubx64.efi signed with my own MOK secure boot keys
2. I have enabled signature verification with grub-mkstandalone --pubkey <key>
and set check_signatures=enforce
3. Booting without secure boot works fine, the grub signature checks are
enforced (can not load any image that does not have a detached signature with
my grub key id)
4. If I enable secure boot each image must also be signed with my MOK keys or
the image will not boot
5. I have tried to build the grub image with and without  --disable-shim-lock

I have not found a way to disable this behavior and let grub boot arbitrary
images that are only signed with the grub key.

The secure boot keys are a no longer needed (and in my case only used to make
manipulation of the grub image harder).
All further operations should only depend on the grub signature verification
for my setup.







    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?65103>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]