https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-with-secure-boot.md
On Tue, Nov 21, 2023 at 3:14 PM Federico Angelilli <[email protected]> wrote: > Hello, > A few months ago I decided to turn on secure boot on my dual os desktop, > mainly due to some SB related shenanigans in Windows 11. > After a (fairly long) session of trial and error, I finally got > everything to work like this: > 1) Whenever my kernel is built (I'm using a custom kernel) sign it with > the right SB key > 2) When updating grub, sign it with the SB key as well > > Everything now works: I can boot with SB enabled to grub, then I can > either choose to use the linux signed kernel or the windows chainloader. > Except for a small detail: I can boot even from the unsigned kernels. > While I first thought of it as an error on my configuration, I turned out > to > be a shortcoming in grub itself (as far as I understand), that simply > cannot verify sb signatures on its own. > > So, how can I set up grub in a way that I can: > 1) boot with secure boot enable to the grub menu > 2) only boot from entries that are signed themselves > > Thanks, > Federico > > >
