[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GRUB can't chainload Windows under Secure Boot
|
From: |
Andrei Borzenkov |
|
Subject: |
Re: GRUB can't chainload Windows under Secure Boot |
|
Date: |
Thu, 8 Dec 2016 16:01:41 +0300 |
On Thu, Dec 8, 2016 at 3:09 PM, Giovanni Santini
<address@hidden> wrote:
> Il 08/12/2016 12:31, Andrei Borzenkov ha scritto:
>>
>> I understand that this needs clarification.
>>
>> GRUB itself is completely Secure Boot agnostic - if you sign binary it
>> will likely work and will be able to also chainload other signed
>> binaries as long as firmware accepts them.
>>
>> What it does not support is explicit signature verification using
>> popular shim protocol which can be considered bypassing firmware check
>> entirely.
>>
>
> Ok, I see...
> A (I suppose stupid) question: using Preloader should not affect it, right?
> Preloader enrolls the binary of grub as valid so it can be started;
> but, by that logic, it says nothing to grub about which binaries can
> be chainloaded. Isn't it?
>
There are two preloaders (loosely calling shim also preloader). Linux
Foundation's one overrides standard security protocol, so assuming
this was successful, it should be fully transparent. Another one is
shim, which installs additional protocol and needs explicit support to
call it. All distributions I am aware of are based on shim, and so
carry additional patches to grub.
> I am pretty ignorant from this point of view, I am sorry about it.
>
>>
>> https://bugzilla.opensuse.org/show_bug.cgi?id=954126#c6
>>
>
> Thanks for the link!
>
> I've donwloaded the grub2 sources for OpenSUSE Tumbleweed (which seems
> works now, from the follow up comments in your link) and I was checking
> the Secure Boot patches. I think that the most relevant of them is the
> one named 'grub2-secureboot-chainloader'. Not sure 100% though.
>
Yes, it should be this one. Although full patch set is rather more extensive.
>
> Additionally, I don't know if have ever seen some ArchLinux packaging
> stuff; the build is done with the following git tags:
> _GRUB_GIT_TAG="grub-2.02-beta3"
> _GRUB_EXTRAS_COMMIT="f2a079441939eee7251bf141986cdd78946e1d20"
>
>
> I was thinking I can add some of the OpenSUSE patches to the Arch build
> to add the missing support for SB.
>
> --
> Giovanni Santini
> My blog: http://giovannisantini.tk
> My code: https://git{hub,lab}.com/ItachiSan
> My GPG: 2FADEBF5
- GRUB can't chainload Windows under Secure Boot, Giovanni Santini, 2016/12/07
- Re: GRUB can't chainload Windows under Secure Boot, Andrei Borzenkov, 2016/12/07
- Re: GRUB can't chainload Windows under Secure Boot, Giovanni Santini, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Andrei Borzenkov, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Giovanni Santini, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot,
Andrei Borzenkov <=
- Re: GRUB can't chainload Windows under Secure Boot, Giovanni Santini, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Andrei Borzenkov, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Giovanni Santini, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Andrei Borzenkov, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Andrei Borzenkov, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Giovanni Santini, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Andrei Borzenkov, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Giovanni Santini, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Andrei Borzenkov, 2016/12/08
- Re: GRUB can't chainload Windows under Secure Boot, Giovanni Santini, 2016/12/09