grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Change "efi" to "EFI" in grub-mkrescue for secure boot


From: adrian15sgd
Subject: Re: [PATCH] Change "efi" to "EFI" in grub-mkrescue for secure boot
Date: Wed, 11 Sep 2024 17:13:00 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0

El 11/9/24 a las 12:38, Tobias Powalowski via Grub-devel escribió:

Back in the day I added that commit on the supergrub history because I wasn't proud enough of the SecureBoot implementation or I messed up in which branch I was pushing those changes. Right now the SecureBoot build is turned on on the main supergrub codebase.

It is based on the Debian binaries and, if I'm being honest, I might remove it (and suggest people to boot Super Grub2 Disk while SecureBoot is disabled) in the future because of two main reasons:

- Not being able to keep up with Debian updates in order to avoid problems with revoked SecureBoot-enabled shims/grubs . - Nobody seem to be asking for any Fedora / RedHat / SusE, you-name-it SecureBoot support for Super Grub2 Disk.

Alternatively I could try to embed supergrub scripts onto an official Debian grub-related package and... just recommend that when you cannot turn off SecureBoot on your UEFI Firmware. You want SecureBoot's SuperGrub in SusE ? Just port that package onto SusE yourself.

Note: In this message: SuperGrub = Super Grub Disk = Super Grub2 Disk .

adrian15


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Sorry to chime in, but it does not matter which distro you have as base.

The shim needs to be signed by Microsoft, any built grub can then be used afterwards.

With a MOK setup you can pretty boot anything then.


This is what it usually happens in a Secure Boot scenario:

- UEFI Firmware loads up /BOOT/BOOTX64.EFI
- BOOTX64.EFI (shim) is loaded. (Signed by Microsoft)
- GRUBX64.EFI (Grub) is loaded. (Signed by Debian)
- Kernel is loaded. (Signed by Debian)

... if any of the previous signatures are not valid... Secure Boot refuses to boot everything.

So when I say that SuperGrub SecureBoot support is based on Debian binaries I'm actually saying that I'm using their signed binaries for shim and grub. I'm also using the Ubuntu ones. So... with SG2D you can boot SecureBoot signed Debian kernels and SecureBoot signed Ubuntu kernels on a SecureBoot enabled UEFI Firmware. (As long as those shim and grub binaries signatures are not revoked according to the UEFI's SBAT)

For me it **does matter** which distro I'm basing my binaries...
  You see... I'm not concerned on the very first boot part where shim boots in a SecureBoot enabled UEFI because Debian has managed to sign its shim by Microsoft.
  That works with no problem.
  I'm concerned about not being able to boot Fedora kernels, Suse kernels and so on from let's say "Debian's shim + Debian's grub" which it's later on on the boot process.   I actually know that I could boot those Fedora / SusE kernels if I shipped:     - Fedora's SecureBoot signed by Microsoft shim and its associated grub image.     - SusE's SecureBoot signed by Microsoft shim and its associated grub image.   but it's too much work for the little interest that regular users of Super Grub2 Disk are having onto this.

Also... regarding the original email from Askar be aware that he could be interested in Microsoft signing-in his grub binary (or in signing with his own keys) even if it's not the advised/usual way to go.

adrian15



reply via email to

[Prev in Thread] Current Thread [Next in Thread]