[bug #65103] no way to disable secure boot signature for images to boot from grub

2024-01-01 Thread akallabeth 
Follow-up Comment #1, bug#65103 (group grub):

missing from the initial report:

1. using 2.12-rc1 debian package with argon2 patches from
https://gitlab.com/mattz7/pkgbuild-public
2. I use different keys for MOK and grub (RSA2048 vs RSA4096)


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #65103] no way to disable secure boot signature for images to boot from grub

2024-01-01 Thread akallabeth 
URL:
  <https://savannah.gnu.org/bugs/?65103>

 Summary: no way to disable secure boot signature for images
to boot from grub
   Group: GNU GRUB
   Submitter: akallabeth
   Submitted: Mon 01 Jan 2024 11:04:44 AM UTC
Category: Security
Severity: Major
Priority: 5 - Normal
  Item Group: None
  Status: None
 Privacy: Public
 Assigned to: None
 Originator Name: 
Originator Email: 
 Open/Closed: Open
 Release: other
 Release: 
 Discussion Lock: Any
 Reproducibility: Every Time
 Planned Release: None


___

Follow-up Comments:


---
Date: Mon 01 Jan 2024 11:04:44 AM UTC By: akallabeth 
My setup is as follows:

1. I have a grubx64.efi signed with my own MOK secure boot keys
2. I have enabled signature verification with grub-mkstandalone --pubkey 
and set check_signatures=enforce
3. Booting without secure boot works fine, the grub signature checks are
enforced (can not load any image that does not have a detached signature with
my grub key id)
4. If I enable secure boot each image must also be signed with my MOK keys or
the image will not boot
5. I have tried to build the grub image with and without  --disable-shim-lock

I have not found a way to disable this behavior and let grub boot arbitrary
images that are only signed with the grub key.

The secure boot keys are a no longer needed (and in my case only used to make
manipulation of the grub image harder).
All further operations should only depend on the grub signature verification
for my setup.







___

Reply to this item at:

  <https://savannah.gnu.org/bugs/?65103>

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #55093] Add LUKS2 support

2023-12-25 Thread akallabeth 
Follow-up Comment #16, bug#55093 (group grub):

maybe worth mentioning, there are a few working patch sets for argon support
circulating for arch, like this here:
https://gitlab.com/mattz7/pkgbuild-public


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/