Re: secure boot in grub (was: Re: PK/KEK for ovmf)

To: Ansgar <ansgar@debian.org>, debian-efi@lists.debian.org
Subject: Re: secure boot in grub (was: Re: PK/KEK for ovmf)
From: Philipp Hahn <pmhahn@pmhahn.de>
Date: Thu, 1 Aug 2019 08:19:49 +0200
Message-id: <[🔎] 36c582c3-07b1-84ad-f481-cfe6335901cd@pmhahn.de>
In-reply-to: <[🔎] 874l31xxly.fsf@43-1.org>
References: <20190731221256.GA21664@xps13.dannf> <[🔎] 874l31xxly.fsf@43-1.org>

Hello Ansgar,

Am 01.08.19 um 07:28 schrieb Ansgar:
> dann frazier writes:
>> [1] https://salsa.debian.org/qemu-team/edk2/blob/debian/debian/PkKek-1.README
> 
> I've no answer to your question right now, but the following sentence
> caught my attention:
> 
> +---
> | When grub is run without the shim protocol registered, it assumes SB is
> | disabled and boots without verifying the kernel.
> +---
> 
> Is this correct?
> 
> If I enroll Debian's signing key and then boot grub directly, does that
> actually disable secure boot?  That looks like a bug to me.

GRUB delegates the signature verification to SHIM - if you do not boot
to SHIM first and let SHIM load GRUB, the SHIM provided service is
missing and GRUB cannot verify the SB chain.

SB is more than just verifying a single signature and I consider it
reasonable for GRUB to not yet implement the SB protocol itself again.
So not a bug, but a reasonable design decision.

Philipp

Reply to:

Follow-Ups:
- Re: secure boot in grub
  - From: Ansgar <ansgar@debian.org>

References:
- secure boot in grub (was: Re: PK/KEK for ovmf)
  - From: Ansgar <ansgar@debian.org>

Prev by Date: secure boot in grub (was: Re: PK/KEK for ovmf)
Next by Date: Re: secure boot in grub
Previous by thread: secure boot in grub (was: Re: PK/KEK for ovmf)
Next by thread: Re: secure boot in grub
Index(es):
- Date
- Thread