pesign
Mr Dash Four
mr.dash.four at googlemail.com
Fri Oct 19 13:27:40 UTC 2012
> You'd have to write some code for both grub2 and shim. Grub2 doesn't
> actually do the authentication itself, it calls back to shim to do that.
> And shim is looking in two databases for certs/hashes.
>
> You'd probably need to rebuild shim with your personal key embedded,
> and modified to always verify. Then you'd need to modify grub2 to
> always call shim to do verification and install that. I honestly have
> no idea how difficult that would be.
>
Looks complicated - I'll keep that option in mind as "plan B" if I get
stuck and my "plan A" is not feasible!
> It's carried in the patchset and put in
> Documentation/kernel-parameters.txt. It's called "secureboot_enable=".
>
Brilliant, thanks!
> You should be able to disable Secure Boot in the firmware, and reboot
> back into setup mode. It should allow you to delete all the existing
> keys at that point. Though you'd actually need to have a machine that
> has Secure Boot implemented in the first place.
>
Aha! I wasn't aware of that (it tells me I could disable it, but I
wasn't aware that I could delete all the keys... nice!).
> You can. In order to be specification compliant, the machine needs to
> allow you to disable Secure Boot.
That is indeed the case!
> Once that's done, it'll enter setup
> mode. Once in that mode, I believe there are even some open source
> tools that will help you enroll keys, etc.
>
I'll dig that up when I have more time. If I could manage to get that
working the rest should fall into place quite easily and I won't need to
mess around with shim/grub2. Thanks for that Josh, much appreciated!
More information about the kernel
mailing list