05.03.2025 07:13, Aaron Pace wrote:
Hello,
I apologize if this has already been answered somewhere. I did a cursory
search of the mailing list history, but didn't find a clear answer.
I have my own 4096-bit RSA PK, KEK, and DB key enrolled in my BIOS.
I have signed grub with the DB key, and it boots correctly.
Rather than using shim / MOKmanager / etc., I would like to have GRUB read
the DB variable from the EFI store and use the certificates stored there to
validate my initrd / vmlinux.
Upstream grub does not do it. And initrd normally is not verified anyway
because it is usually too volatile.
I haven't found a way to do this yet. I can sign my initrd/vmlinux with a
GPG key which I then store in my boot partition, but would like to be able
to instead use the one set of keys from the UEFI DB variable to validate
everything.
Can this be done?
Sure this can be done. Distributions patch grub "linux" command to
invoke Linux kernel as EFI binary in which case firmware will
automatically verify it. Upstream grub needs to explicitly verify image.
If the question is - can this be done in the current upstream grub - I
guess you could load Linux kernel with EFI stub using EFI chainloader
command. It will go through normal EFI LoadImage which will implicitly
verify it. But you will need to maintain grub configuration yourself,
default grub-mkconfig has no provision for it (or add /etc/grub.d script
to do it).
It will not verify initrd though. The only solution that does it is
systemd UKI (at least, the only known to me) where kernel and initrd are
packed into the single EFI binary. Hmm ... if you have it, you can just
as well load it using grub "chainloader".
