Hi! I use grub with secure-boot enabled, and grub enforces signature checks for files it loads. I actually went through a not-so-short trial-and-error process signing all the files correctly. However, if I don't enable user authentication for grub, some malicious user can simply press 'e' and add 'set check_signatures=no'. So I went on to setup authentication of a grub user. However, with users present, any action needs authentication, even just booting with an existing entry. I believe it makes sense to have an option that sets every entry to unrestricted, so secure-boot users won't need to hack into scripts shipped by distributions.
Thank you! _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
