[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
About grub signing config files
From: |
Felix Rubio Dalmau |
Subject: |
About grub signing config files |
Date: |
Fri, 01 Jan 2021 10:47:43 +0100 |
Hi everybody (and happy 2021)!
I have just installed debian stable, with Grub2. I want to make full use of
secure boot and kernel/initramfs/grub config files signing, but I have have not
been able to find an "already maintained" way to do it.
I think I have come with a minimal set of changes that a) provide the grub
config file signing, and b) break nothing (I think), and I want to share them
with you so that maybe they can be included in upstream grub? The assumptions
are that a) gpg is installed, and b) the default name format for the signature
files (so, ending in .sig is used).
In short, it boils down to
a) defining a variable GRUB_SIGNING_KEY with the fingerprint of the key to be
used.
b) add this to grub-mkconfig
###########
if [ "x${GRUB_SIGNING_KEY}" != "x" -a "x${grub_cfg}" != "x" ]; then
gpg --yes --default-key ${GRUB_SIGNING_KEY} --detach-sign ${grub_cfg} >&2
echo >&2
fi
###########
c) add another exception for *.sig in the function 'grub_file_is_not_garbage'
in grub-mkconfig_lib
What are your comments?
Thank you,
Felix
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- About grub signing config files,
Felix Rubio Dalmau <=