help-grub
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Verify the signature of OSes (for SB)

From: Federico Angelilli
Subject: Re: Verify the signature of OSes (for SB)
Date: Wed, 22 Nov 2023 10:56:22 +0100
User-agent: K-9 Mail for Android 
Yes, I added my key to the uefi pk db. Sorry for being vague but a while passed.

Anyway, everyone seems to agree that for my use case I need the shim. However, 
for what I found online (not a lot truthfully) it is a tool separated from grub 
made by debian and verified directly by microsoft. Since I'm not using a distro 
with shim preinstalled, could you point me on some guide explaining from 
scratch how to add it?

Thanks,
Federico

On November 22, 2023 8:59:16 AM GMT+01:00, Andrei Borzenkov 
<arvidjaar@gmail.com> wrote:
>On Wed, Nov 22, 2023 at 10:37 AM Federico Angelilli <list@fedang.net> wrote:
>>
>> Hello,
>> I already imported the sb keys from the uefi and signed my grub image. 
>> However the problem is that apart from the uefi verification of the grub 
>> image itself, no other verification is done by grub.
>
>grub is using shim services to verify Linux kernel. You must use shim.
>If you already replaced standard Microsoft PK and KEK with your own
>(at least, that is how I interpret "imported the sb keys from the
>uefi" which is pretty vague), you can sign the shim with your key to
>authorize it.
>
>> This would mean that I can actually boot on unsigned kernels from grub (with 
>> sb enabled!). But I can sign correctly both the kernel and grub as of now.
>>
>>
>>
>> On November 22, 2023 6:40:18 AM GMT+01:00, Mathias Radtke <m.radtke@uib.de> 
>> wrote:
>> >Hi,
>> >
>> >
>> >
>> >So, how can I set up grub in a way that I can:
>> >1) boot with secure boot enable to the grub menu
>> >
>> >You would need to import your key into the SecureBoot Database in your 
>> >machines UEFI.
>> >This way your system knows this signature is valid.
>> >The official way would be to build a shim with your PubCert inside and let 
>> >it sign by Microsoft so you can get an officially verified shim that can 
>> >start your own signed grub. This way is a very long route and involves a 
>> >review process. As you are using it solely for yourself you don't need it.
>> >
>> >Regards
>> >
>> >Mathias
>>
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]