Bug#820129: grub2: Disallow booting unsigned kernels when Secure Boot is enabled

Steve McIntyre steve at einval.com
Sun Apr 15 22:03:55 BST 2018 

Philipp?

On Thu, Apr 12, 2018 at 05:10:38PM +0100, Luca Boccassi wrote:
>On Thu, 2018-04-12 at 15:58 +0100, Steve McIntyre wrote:
>> [ Note cc to the d-efi list. SB is finally in progress after last
>>   week's sprint! ]
>> 
>> Very belated, it's time we discussed this.

<snip>

>> This looks like one way of doing this. Philipp Hahn is suggesting
>> that
>> we just don't include the "linux" module in our signed grub
>> build. That's simpler, but potentially causes problems elsewhere,
>> e.g. "it gets a bit nasty to try and dynamically switch between linux
>> and linuxefi in live-build". So, let's discuss - we need to agree our
>> policy and decide the best mechanism here. Go...!
>
>The issues I see is that until now pretty much everywhere "linux" is
>used in grub.cfg.
>
>This can be solved easily, and indeed Philipp has already done it, for
>local installations - the problems arise when building images.
>
>At least in live-build (not sure about debootstrap/live-wrapper?),
>users can provide their own grub.cfg. Personally I've never seen anyone
>use anything but "linux" in the menuentry (eg: Kali [2]).
>
>So I'd need to do something like this [1] in live-build:
>
>sed -i "s|linux\(\s\+/\w\+/vmlinuz\)|linuxefi\1|" \
>    binary/boot/grub/grub.cfg
>sed -i "s|initrd\(\s\+/\w\+/initrd\)|initrdefi\1|" \
>    binary/boot/grub/grub.cfg
>
>With the risk of randomly breaking with weird user's grub.cfg :-/
>
>I'd really like to make the process as transparent as possible for
>users, as there are already enough hoops to jump through as-is to get
>secure boot working.
>
>I have been using the patch from this bug in production for about a
>year as an alternative in the downstream distro at $work, and it seems
>to work fine.
>
>On the other hand, I imagine it's easier to verify that nothing is
>broken by removing the "linux" module rather than using this patch. So
>there's the other side of the coin.
>
>-- 
>Kind regards,
>Luca Boccassi
>
>[1] https://salsa.debian.org/bluca/live-build/commits/linuxefi
>[2] http://git.kali.org/gitweb/?p=live-build-config.git;a=blob;f=kali-config/common/bootloaders/grub-pc/grub.cfg


-- 
Steve McIntyre, Cambridge, UK.                                steve at einval.com
< Aardvark> I dislike C++ to start with. C++11 just seems to be
            handing rope-creating factories for users to hang multiple
            instances of themselves.

More information about the Pkg-grub-devel mailing list