Re: Grub and secure boot

help-grub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Grub and secure boot

From:	Andrei Borzenkov
Subject:	Re: Grub and secure boot
Date:	Sat, 5 Feb 2022 18:09:13 +0300
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0

On 05.02.2022 00:08, Domenico Panella wrote:
> Hi all,
> I have a problem with grub.
> I have signed grub efi file with my efi keys
> But I get this error :
> 
> verifcation requested but nobody cares: (hd0,gpt7)/boot/grub/x86_64-efi
> /normal.mod
> Entering rescue mode... grub rescue>
> 
> I always used this way but now it doesn't work.
> What missing?
> 

When secure boot is enabled grub enforces verification of modules. But grub 
modules
themselves do not have EFI signature, so there is no verifier that can check 
them.
Distributions ship signed grub with module loading disabled.

You may try signing modules with GPG key and adding this key to grub image. But
that will enforce signature checks for every file including configuration, 
themes
etc, every file that grub reads will need to be signed.

Alternative is to use grub-standalone to embed RAM disk with modules in grub 
image.
GRUB should skip signature verification for those internal modules.

[Prev in Thread]

Current Thread

[Next in Thread]

Grub and secure boot, Domenico Panella, 2022/02/04
- Re: Grub and secure boot, Andrei Borzenkov <=

Prev by Date: Grub and secure boot
Next by Date: Serial output to EFI serial
Previous by thread: Grub and secure boot
Next by thread: Serial output to EFI serial
Index(es):
- Date
- Thread