Re: Verify the signature of OSes (for SB)

[Federico Angelilli]

How would I go about installing the "shim"?

Thanks,
Federico 

On November 22, 2023 1:59:53 AM GMT+01:00, Randy Goldenberg 
<randy.goldenberg@gmail.com> wrote:
>https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-with-secure-boot.md
>
>On Tue, Nov 21, 2023 at 3:14 PM Federico Angelilli <list@fedang.net> wrote:
>
>> Hello,
>> A few months ago I decided to turn on secure boot on my dual os desktop,
>> mainly due to some SB related shenanigans in Windows 11.
>> After a (fairly long) session of trial and error, I finally got
>> everything to work like this:
>> 1) Whenever my kernel is built (I'm using a custom kernel) sign it with
>> the right SB key
>> 2) When updating grub, sign it with the SB key as well
>>
>> Everything now works: I can boot with SB enabled to grub, then I can
>> either choose to use the linux signed kernel or the windows chainloader.
>> Except for a small detail: I can boot even from the unsigned kernels.
>> While I first thought of it as an error on my configuration, I turned out
>> to
>> be a shortcoming in grub itself (as far as I understand), that simply
>> cannot verify sb signatures on its own.
>>
>> So, how can I set up grub in a way that I can:
>> 1) boot with secure boot enable to the grub menu
>> 2) only boot from entries that are signed themselves
>>
>> Thanks,
>> Federico
>>
>>
>>