[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Secure boot] Force check of kernel signature.
From: |
Jordan Uggla |
Subject: |
Re: [Secure boot] Force check of kernel signature. |
Date: |
Tue, 28 Apr 2015 12:43:42 -0700 |
On Tue, Apr 28, 2015 at 4:34 AM, Plamen K. Kosseff <address@hidden> wrote:
> Hi Andrei,
>
> На 28.04.2015 в 12:26, Andrei Borzenkov написа:
>> On Tue, Apr 28, 2015 at 11:55 AM, Plamen K. Kosseff <address@hidden> wrote:
>>> Gentoo doesn't support Shim. Their view on the matter is that you should
>>> boot the kernel directly and rely on the
>>> firmware to provide boot loader functionality, however I have a very "nice"
>>> implementation of UEFI from HP that
>>> will always boot windows and will override changes in the boot order on
>>> every boot.
>>>
>> Well, you could try to use chainloader then. It will simply load
>> kernel and let firmware to verify it.
> Well the possibility to load any kernel will still exist i.e. making it
> possible to boot
> the system with another kernel. Since this is a laptop I want to make it
> unusable in case
> it gets stolen for example.
Andrei already mentioned this previously in the thread, but I'd like
to reiterate that upstream grub supports requiring that all files
(which of course includes kernel images grub's own modules) contain
valid gpg detached signatures. This will allow you to prevent grub
from loading any kernel that you have not personally signed. You can
run 'info -f grub -n "Using digital signatures" ' to access the
documentation for this feature.
--
Jordan Uggla (Jordan_U on irc.freenode.net)