[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Verify the signature of OSes (for SB)
|
From: |
Federico Angelilli |
|
Subject: |
Re: Verify the signature of OSes (for SB) |
|
Date: |
Wed, 22 Nov 2023 11:02:11 +0100 |
|
User-agent: |
K-9 Mail for Android |
Onestly I don't think that booting to windows is the problem, since it seems as
long as the bootloader is signed (even without a microsoft key, like I'm doing)
chainloading windows will just work.
Also I assume that the windows bootloader and kernel is already signed for SB.
The problem lies in verifying the entries in grub (so before chainloading
windows or loading kernels). I will try to look into the shim anyway, if you
have some documentation on it I would appreciate it.
Thanks,
Federico
On November 22, 2023 9:00:04 AM GMT+01:00, Mathias Radtke <m.radtke@uib.de>
wrote:
>Hi
>
>
>
>
>Hello,
>I already imported the sb keys from the uefi and signed my grub image. However
>the problem is that apart from the uefi verification of the grub image itself,
>no other verification is done by grub. This would mean that I can actually
>boot on unsigned kernels from grub (with sb enabled!). But I can sign
>correctly both the kernel and grub as of now.
>
>Then I think you would have to compile a shim for your system and boot this
>one first instead of grub. However if this shim is not signed by Microsoft I
>can't say for sure if a Linux/Windows Dual Boot system will boot properly into
>Windows.
>I think you should also compile your public cert of the key into the shim,
>just to make sure.
>
>Regards
>
>Mathias