|
| From: | Tobias Powalowski |
| Subject: | Re: [PATCH] Change "efi" to "EFI" in grub-mkrescue for secure boot |
| Date: | Wed, 11 Sep 2024 17:46:14 +0200 |
| User-agent: | Mozilla Thunderbird |
You can boot any system with a MOK Machine Owner Key that is added to the EFI variables by mok manager tool.This is what it usually happens in a Secure Boot scenario: - UEFI Firmware loads up /BOOT/BOOTX64.EFI - BOOTX64.EFI (shim) is loaded. (Signed by Microsoft) - GRUBX64.EFI (Grub) is loaded. (Signed by Debian) - Kernel is loaded. (Signed by Debian)... if any of the previous signatures are not valid... Secure Boot refuses to boot everything.So when I say that SuperGrub SecureBoot support is based on Debian binaries I'm actually saying that I'm using their signed binaries for shim and grub. I'm also using the Ubuntu ones. So... with SG2D you can boot SecureBoot signed Debian kernels and SecureBoot signed Ubuntu kernels on a SecureBoot enabled UEFI Firmware. (As long as those shim and grub binaries signatures are not revoked according to the UEFI's SBAT)
In your scenario, shim launches mokmanager in which you can add any kernel and any boot manager to efi variables.
At least for my Arch Linux setup this works fine with fedora's shim. I think Ventoy also uses this method for booting anything.
Best regards tpowa -- Tobias Powalowski Arch Linux Developer (tpowa) https://www.archlinux.org tpowa@archlinux.org Archboot Developer https://archboot.com St. Martin-Apotheke Herzog-Georg-Str. 25 89415 Lauingen https://www.st-martin-apo.de info@st-martin-apo.de
| [Prev in Thread] | Current Thread | [Next in Thread] |