UEFI Secure Boot - GRUB WIP report

Philipp Hahn hahn at univention.de
Wed Jun 27 21:49:51 BST 2018


Hello Colin, hello Luca,

Am 20.06.2018 um 14:28 schrieb Luca Boccassi:
> On Wed, 2018-06-20 at 14:12 +0200, Philipp Hahn wrote:
>> Am 19.06.2018 um 16:38 schrieb Luca Boccassi:
>>> On Tue, 2018-06-19 at 11:00 +0200, Philipp Hahn wrote:
>>>> Am 19.06.2018 um 10:25 schrieb Colin Watson:
>>>> The good news: It works: It loads the signed SHIM and GRUB.
>>>>
>>>> The bad news: GRUB still falls back to loading an unsigned Linux
>>>> kernel.
...
>>> I really can't find my way around git-dpm though, I find it a bit
>>> confusing, being used to gbp - could there be an issue with the
>>> quilt patch?
>>
>> I'm haven't yet used git-dpm, too.

It took me some time but now it seams to work - Yeah! I think that patch
of yours was not applied in my first build - that should be fixed now.

> This is exactly the symptom fixed by this PR (EFI variable is set so
> you get the first print, but grub overwrites it so the kernel can't
> determine the mode anymore):

Now it get this:
> # dmesg | grep -i secu
> [    0.000000] secureboot: Secure boot enabled
> [    0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7


I removed those other branches and I'm back at
<https://salsa.debian.org/pmhahn/grub/tree/signing>.

@Colin: I hope the tree is now in a state you like and can merge it.

I don't have much time to work on that right now and even less starting
mid next week, but Luca seems to be quiet knowledgeable.

So thanks to everyone so far.
Philipp



More information about the Pkg-grub-devel mailing list