[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Verify the signature of OSes (for SB)
|
From: |
Andrei Borzenkov |
|
Subject: |
Re: Verify the signature of OSes (for SB) |
|
Date: |
Wed, 22 Nov 2023 10:59:16 +0300 |
On Wed, Nov 22, 2023 at 10:37 AM Federico Angelilli <list@fedang.net> wrote:
>
> Hello,
> I already imported the sb keys from the uefi and signed my grub image.
> However the problem is that apart from the uefi verification of the grub
> image itself, no other verification is done by grub.
grub is using shim services to verify Linux kernel. You must use shim.
If you already replaced standard Microsoft PK and KEK with your own
(at least, that is how I interpret "imported the sb keys from the
uefi" which is pretty vague), you can sign the shim with your key to
authorize it.
> This would mean that I can actually boot on unsigned kernels from grub (with
> sb enabled!). But I can sign correctly both the kernel and grub as of now.
>
>
>
> On November 22, 2023 6:40:18 AM GMT+01:00, Mathias Radtke <m.radtke@uib.de>
> wrote:
> >Hi,
> >
> >
> >
> >So, how can I set up grub in a way that I can:
> >1) boot with secure boot enable to the grub menu
> >
> >You would need to import your key into the SecureBoot Database in your
> >machines UEFI.
> >This way your system knows this signature is valid.
> >The official way would be to build a shim with your PubCert inside and let
> >it sign by Microsoft so you can get an officially verified shim that can
> >start your own signed grub. This way is a very long route and involves a
> >review process. As you are using it solely for yourself you don't need it.
> >
> >Regards
> >
> >Mathias
>