|
From: | Plamen K. Kosseff |
Subject: | Re: [Secure boot] Force check of kernel signature. |
Date: | Tue, 28 Apr 2015 11:55:50 +0300 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
На 28.04.2015 в 11:34, Andrei Borzenkov
написа:
Thanks for the prompt response.On Tue, Apr 28, 2015 at 10:44 AM, Plamen K. Kosseff <address@hidden> wrote:Hello, Distro: Gentoo ~amd64 grub version: grub-2.02_beta2 So I have a secure boot enabled system with my own keys. I've signed grub and the system is bootable. However grub will happily load any kernel, signed or not, which renders secure boot useless. Is there a way to make grub to load only signed kernels?Upstream GRUB does not support secure boot signatures (or signed PE in general). There is support for gpg detached signatures. Distribution carry extra patch(es) to enable secure boot signature verification using shim. You need to check gentoo documentation how to do it. Shim supports enrolling of own keys. Gentoo doesn't support Shim. Their view on the matter is that you should boot the kernel directly and rely on the firmware to provide boot loader functionality, however I have a very "nice" implementation of UEFI from HP that will always boot windows and will override changes in the boot order on every boot. Anyway I'll check if gummiboot provides enough functionality for my case. |
[Prev in Thread] | Current Thread | [Next in Thread] |