URL: <https://savannah.gnu.org/bugs/?65103>
Summary: no way to disable secure boot signature for images to boot from grub Group: GNU GRUB Submitter: akallabeth Submitted: Mon 01 Jan 2024 11:04:44 AM UTC Category: Security Severity: Major Priority: 5 - Normal Item Group: None Status: None Privacy: Public Assigned to: None Originator Name: Originator Email: Open/Closed: Open Release: other Release: Discussion Lock: Any Reproducibility: Every Time Planned Release: None _______________________________________________________ Follow-up Comments: ------------------------------------------------------- Date: Mon 01 Jan 2024 11:04:44 AM UTC By: akallabeth <akallabeth> My setup is as follows: 1. I have a grubx64.efi signed with my own MOK secure boot keys 2. I have enabled signature verification with grub-mkstandalone --pubkey <key> and set check_signatures=enforce 3. Booting without secure boot works fine, the grub signature checks are enforced (can not load any image that does not have a detached signature with my grub key id) 4. If I enable secure boot each image must also be signed with my MOK keys or the image will not boot 5. I have tried to build the grub image with and without --disable-shim-lock I have not found a way to disable this behavior and let grub boot arbitrary images that are only signed with the grub key. The secure boot keys are a no longer needed (and in my case only used to make manipulation of the grub image harder). All further operations should only depend on the grub signature verification for my setup. _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/bugs/?65103> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/