Re: Verify the signature of OSes (for SB)

[Randy Goldenberg]

https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-with-secure-boot.md

On Tue, Nov 21, 2023 at 3:14 PM Federico Angelilli <list@fedang.net> wrote:

> Hello,
> A few months ago I decided to turn on secure boot on my dual os desktop,
> mainly due to some SB related shenanigans in Windows 11.
> After a (fairly long) session of trial and error, I finally got
> everything to work like this:
> 1) Whenever my kernel is built (I'm using a custom kernel) sign it with
> the right SB key
> 2) When updating grub, sign it with the SB key as well
>
> Everything now works: I can boot with SB enabled to grub, then I can
> either choose to use the linux signed kernel or the windows chainloader.
> Except for a small detail: I can boot even from the unsigned kernels.
> While I first thought of it as an error on my configuration, I turned out
> to
> be a shortcoming in grub itself (as far as I understand), that simply
> cannot verify sb signatures on its own.
>
> So, how can I set up grub in a way that I can:
> 1) boot with secure boot enable to the grub menu
> 2) only boot from entries that are signed themselves
>
> Thanks,
> Federico
>
>
>