On Wed, Mar 5, 2025 at 4:11 AM Andrei Borzenkov <arvidj...@gmail.com> wrote: > > 05.03.2025 07:13, Aaron Pace wrote: > > Hello, > > > > I apologize if this has already been answered somewhere. I did a cursory > > search of the mailing list history, but didn't find a clear answer. > > > > I have my own 4096-bit RSA PK, KEK, and DB key enrolled in my BIOS. > > I have signed grub with the DB key, and it boots correctly. > > > > Rather than using shim / MOKmanager / etc., I would like to have GRUB read > > the DB variable from the EFI store and use the certificates stored there to > > validate my initrd / vmlinux. > > > > Upstream grub does not do it. And initrd normally is not verified anyway > because it is usually too volatile. > > > I haven't found a way to do this yet. I can sign my initrd/vmlinux with a > > GPG key which I then store in my boot partition, but would like to be able > > to instead use the one set of keys from the UEFI DB variable to validate > > everything. > > > > Can this be done? > > > > Sure this can be done. Distributions patch grub "linux" command to > invoke Linux kernel as EFI binary in which case firmware will > automatically verify it. Upstream grub needs to explicitly verify image. > > If the question is - can this be done in the current upstream grub - I > guess you could load Linux kernel with EFI stub using EFI chainloader > command. It will go through normal EFI LoadImage which will implicitly > verify it. But you will need to maintain grub configuration yourself, > default grub-mkconfig has no provision for it (or add /etc/grub.d script > to do it). > > It will not verify initrd though. The only solution that does it is > systemd UKI (at least, the only known to me) where kernel and initrd are > packed into the single EFI binary. Hmm ... if you have it, you can just > as well load it using grub "chainloader". >
Thank you greatly for that info, I will explore this. -Aaron
