[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Verify the signature of OSes (for SB)
|
From: |
Federico Angelilli |
|
Subject: |
Re: Verify the signature of OSes (for SB) |
|
Date: |
Wed, 22 Nov 2023 08:26:41 +0100 |
|
User-agent: |
K-9 Mail for Android |
Hello,
I already imported the sb keys from the uefi and signed my grub image. However
the problem is that apart from the uefi verification of the grub image itself,
no other verification is done by grub. This would mean that I can actually boot
on unsigned kernels from grub (with sb enabled!). But I can sign correctly both
the kernel and grub as of now.
On November 22, 2023 6:40:18 AM GMT+01:00, Mathias Radtke <m.radtke@uib.de>
wrote:
>Hi,
>
>
>
>So, how can I set up grub in a way that I can:
>1) boot with secure boot enable to the grub menu
>
>You would need to import your key into the SecureBoot Database in your
>machines UEFI.
>This way your system knows this signature is valid.
>The official way would be to build a shim with your PubCert inside and let it
>sign by Microsoft so you can get an officially verified shim that can start
>your own signed grub. This way is a very long route and involves a review
>process. As you are using it solely for yourself you don't need it.
>
>Regards
>
>Mathias