> I think you might misunderstand... what it does is put all the grub config etc into a signed initramfs. So you cannot change the grub.cfg.
I think grub's name for that is not initramfs, but something different? Anyway: I suggest you look at my secureboot project, you'll see I understand what you're trying to achieve - I did the same thing with systemd-boot. Now - this is a _very special_ use case, and not what secure boot is designed for (it was designed against systems installing rootkits, not local users fiddling with your FDE). I think shim even allowed you to boot unsigned stuff by pressing a key at some point, because local users are trusted. Optimally, what you want to do on new kernels and stuff is to take them to a separate offline machine with the key, sign them and transfer them back to reduce the rootkit risk. The repository makes no mention of that special use case, potentially causing people to install it who do not have FDE or do not need the additional properties of signed early userspace. It only says "Ubuntu is not checking signatures at all, this does", and that's not helpful. If users come along and install it, thinking they make their system more secure, and don't know the tradeoff they make, that's bad. > I'm not sure what "don't support secure boot without shim" means You forgot the "we". Shim is part of our secure boot process, and we do not test or work on or support booting without it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890672 Title: secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1890672/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
