[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Secure boot] Force check of kernel signature.
From: |
Plamen K. Kosseff |
Subject: |
Re: [Secure boot] Force check of kernel signature. |
Date: |
Tue, 28 Apr 2015 14:34:31 +0300 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
Hi Andrei,
На 28.04.2015 в 12:26, Andrei Borzenkov написа:
> On Tue, Apr 28, 2015 at 11:55 AM, Plamen K. Kosseff <address@hidden> wrote:
>> Gentoo doesn't support Shim. Their view on the matter is that you should
>> boot the kernel directly and rely on the
>> firmware to provide boot loader functionality, however I have a very "nice"
>> implementation of UEFI from HP that
>> will always boot windows and will override changes in the boot order on
>> every boot.
>>
> Well, you could try to use chainloader then. It will simply load
> kernel and let firmware to verify it.
Well the possibility to load any kernel will still exist i.e. making it
possible to boot
the system with another kernel. Since this is a laptop I want to make it
unusable in case
it gets stolen for example.
Is it possible to patch out everything else and just leave the chainloader?
> You should be able to pass
> parameters to kernel this way, including initrd path, but at least
> initrd will probably need to be located on firmware accessible
> directory i.e. ESP.
Yes the kernel and the initrd will need to be on the EFI partition.
>> Anyway I'll check if gummiboot provides enough functionality for my case.
>>
> Does not gummiboot rely on shim as well?
It looks like gummiboot is just a chainloader so, since I've installed
my own keys, no need of Shim.
Best regards,
Plamen
p.s. Yeap all gentoo users are control freaks :)