Re: [Secure boot] Force check of kernel signature.

[Plamen K. Kosseff]

На 28.04.2015 в 11:34, Andrei Borzenkov написа:

On Tue, Apr 28, 2015 at 10:44 AM, Plamen K. Kosseff <address@hidden> wrote:

Hello,

Distro: Gentoo ~amd64
grub version: grub-2.02_beta2

So I have a secure boot enabled system with my own keys. I've signed grub
and the system is bootable.
However grub will happily load any kernel, signed or not, which renders
secure boot useless.

Is there a way to make grub to load only signed kernels?

Upstream GRUB does not support secure boot signatures (or signed PE in
general). There is support for gpg detached signatures. Distribution
carry extra patch(es) to enable secure boot signature verification
using shim. You need to check gentoo documentation how to do it. Shim
supports enrolling of own keys.

Thanks for the prompt response.

Gentoo doesn't support Shim. Their view on the matter is that you should boot the kernel directly and rely on the
firmware to provide boot loader functionality, however I have a very "nice" implementation of UEFI from HP that
will always boot windows and will override changes in the boot order on every boot.

Anyway I'll check if gummiboot provides enough functionality for my case.