Re: Verify the signature of OSes (for SB)

[Adam Vodopjan]

On 22/11/2023 00:25, Federico Angelilli wrote:
> Hello,
> A few months ago I decided to turn on secure boot on my dual os desktop, 
> mainly due to some SB related shenanigans in Windows 11.
> After a (fairly long) session of trial and error, I finally got everything to 
> work like this:
> 1) Whenever my kernel is built (I'm using a custom kernel) sign it with the 
> right SB key
> 2) When updating grub, sign it with the SB key as well
>
> Everything now works: I can boot with SB enabled to grub, then I can either 
> choose to use the linux signed kernel or the windows chainloader.
> Except for a small detail: I can boot even from the unsigned kernels. While I 
> first thought of it as an error on my configuration, I turned out to
> be a shortcoming in grub itself (as far as I understand), that simply cannot 
> verify sb signatures on its own.


Have you got shim installed? IIRC grub uses some shim's service to verify 
kernels. So under SB you should boot into shim, not into grub directly.


There is also the --disable-shim-lock option in grub-mkimage. Mby that's your 
case.


>
> So, how can I set up grub in a way that I can:
> 1) boot with secure boot enable to the grub menu
> 2) only boot from entries that are signed themselves
>
> Thanks,
> Federico
>
>