[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Secure boot] Force check of kernel signature.
From: |
Andrei Borzenkov |
Subject: |
Re: [Secure boot] Force check of kernel signature. |
Date: |
Tue, 28 Apr 2015 11:34:57 +0300 |
On Tue, Apr 28, 2015 at 10:44 AM, Plamen K. Kosseff <address@hidden> wrote:
> Hello,
>
> Distro: Gentoo ~amd64
> grub version: grub-2.02_beta2
>
> So I have a secure boot enabled system with my own keys. I've signed grub
> and the system is bootable.
> However grub will happily load any kernel, signed or not, which renders
> secure boot useless.
>
> Is there a way to make grub to load only signed kernels?
>
Upstream GRUB does not support secure boot signatures (or signed PE in
general). There is support for gpg detached signatures. Distribution
carry extra patch(es) to enable secure boot signature verification
using shim. You need to check gentoo documentation how to do it. Shim
supports enrolling of own keys.