On Sun, Aug 30, 2015 at 4:15 PM, Gordon Messmer gordon.messmer@gmail.com wrote:
On 08/30/2015 05:27 AM, Tom H wrote:
Crippling an upstream tool is beyond anything other distros patch.
It's not crippled. The efi modules are packaged separately. If you know that you want to run grub2-install, then you need to install the "grub2-efi-modules" package. When you run grub2-install, it will rebuild /boot/efi/EFI/fedora/grubx64.efi. The bootloader will no longer be signed, and the system will no longer boot in Secure Boot mode. All of this is standard, upstream behavior.
Yeah it becomes standard upstream behavior if you install grub2-efi-modules and then grub2-install. Otherwise it's distinctly non-standard, but the GNU folks and by extension the GRUB folks, are stuck with no actual built-in Secure Boot support. All of that gets added on at the distro level. Upstream hasn't incorporated any of this, and last time I check (year or so) they explicitly had no intention of doing so and instead depend on gnupg signatures for code verification.