Hey, On Mon, Oct 06, 2025 at 03:55:56AM +0800, Grimoire April wrote: > Hi! > > I use grub with secure-boot enabled, and grub enforces signature > checks for files it loads. I actually went through a not-so-short > trial-and-error process signing all the files correctly. However, if I > don't enable user authentication for grub, some malicious user can > simply press 'e' and add 'set check_signatures=no'. > So I went on to setup authentication of a grub user. However, with > users present, any action needs authentication, even just booting with > an existing entry. I believe it makes sense to have an option that > sets every entry to unrestricted, so secure-boot users won't need to > hack into scripts shipped by distributions.
The commit bb65d81fe (cli_lock: Add build option to block command line interface) is probably your friend... Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
