help-grub
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Secure boot] Force check of kernel signature.


From: Andrei Borzenkov
Subject: Re: [Secure boot] Force check of kernel signature.
Date: Tue, 28 Apr 2015 14:58:40 +0300

On Tue, Apr 28, 2015 at 2:34 PM, Plamen K. Kosseff <address@hidden> wrote:
> Hi Andrei,
>
> На 28.04.2015 в 12:26, Andrei Borzenkov написа:
>> On Tue, Apr 28, 2015 at 11:55 AM, Plamen K. Kosseff <address@hidden> wrote:
>>> Gentoo doesn't support Shim. Their view on the matter is that you should
>>> boot the kernel directly and rely on the
>>> firmware to provide boot loader functionality, however I have a very "nice"
>>> implementation of UEFI from HP that
>>> will always boot windows and will override changes in the boot order on
>>> every boot.
>>>
>> Well, you could try to use chainloader then. It will simply load
>> kernel and let firmware to verify it.
> Well the possibility to load any kernel will still exist

You misunderstand. Chainloader is using EFI API to load image. So your
firmware will verify signature, just like it does it for grub.

Using "linux" loader in grub is different. Here grub directly reads in
memory and transfers control to kernel binary, bypassing EFI firmware.

>
> Is it possible to patch out everything else and just leave the chainloader?

If you generate image that does not have filesystem driver for a
/boot/grub (i.e. where grub modules are located) you are restricted to
only those commands and functionalilty that are included in image



reply via email to

[Prev in Thread] Current Thread [Next in Thread]