[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Change "efi" to "EFI" in grub-mkrescue for secure boot
From: |
adrian15sgd |
Subject: |
Re: [PATCH] Change "efi" to "EFI" in grub-mkrescue for secure boot |
Date: |
Wed, 11 Sep 2024 17:13:00 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 |
El 11/9/24 a las 12:38, Tobias Powalowski via Grub-devel escribió:
Back in the day I added that commit on the supergrub history because
I wasn't proud enough of the SecureBoot implementation or I messed up
in which branch I was pushing those changes.
Right now the SecureBoot build is turned on on the main supergrub
codebase.
It is based on the Debian binaries and, if I'm being honest, I might
remove it (and suggest people to boot Super Grub2 Disk while
SecureBoot is disabled) in the future because of two main reasons:
- Not being able to keep up with Debian updates in order to avoid
problems with revoked SecureBoot-enabled shims/grubs .
- Nobody seem to be asking for any Fedora / RedHat / SusE,
you-name-it SecureBoot support for Super Grub2 Disk.
Alternatively I could try to embed supergrub scripts onto an official
Debian grub-related package and... just recommend that when you
cannot turn off SecureBoot on your UEFI Firmware.
You want SecureBoot's SuperGrub in SusE ? Just port that package onto
SusE yourself.
Note: In this message: SuperGrub = Super Grub Disk = Super Grub2 Disk .
adrian15
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Sorry to chime in, but it does not matter which distro you have as base.
The shim needs to be signed by Microsoft, any built grub can then be
used afterwards.
With a MOK setup you can pretty boot anything then.
This is what it usually happens in a Secure Boot scenario:
- UEFI Firmware loads up /BOOT/BOOTX64.EFI
- BOOTX64.EFI (shim) is loaded. (Signed by Microsoft)
- GRUBX64.EFI (Grub) is loaded. (Signed by Debian)
- Kernel is loaded. (Signed by Debian)
... if any of the previous signatures are not valid... Secure Boot
refuses to boot everything.
So when I say that SuperGrub SecureBoot support is based on Debian
binaries I'm actually saying that I'm using their signed binaries for
shim and grub.
I'm also using the Ubuntu ones. So... with SG2D you can boot SecureBoot
signed Debian kernels and SecureBoot signed Ubuntu kernels on a
SecureBoot enabled UEFI Firmware. (As long as those shim and grub
binaries signatures are not revoked according to the UEFI's SBAT)
For me it **does matter** which distro I'm basing my binaries...
You see... I'm not concerned on the very first boot part where shim
boots in a SecureBoot enabled UEFI because Debian has managed to sign
its shim by Microsoft.
That works with no problem.
I'm concerned about not being able to boot Fedora kernels, Suse
kernels and so on from let's say "Debian's shim + Debian's grub" which
it's later on on the boot process.
I actually know that I could boot those Fedora / SusE kernels if I
shipped:
- Fedora's SecureBoot signed by Microsoft shim and its associated
grub image.
- SusE's SecureBoot signed by Microsoft shim and its associated
grub image.
but it's too much work for the little interest that regular users of
Super Grub2 Disk are having onto this.
Also... regarding the original email from Askar be aware that he could
be interested in Microsoft signing-in his grub binary (or in signing
with his own keys) even if it's not the advised/usual way to go.
adrian15
- Re: [PATCH] Change "efi" to "EFI" in grub-mkrescue for secure boot, (continued)
Re: [PATCH] Change "efi" to "EFI" in grub-mkrescue for secure boot, Askar Safin, 2024/09/14