On Tue, Apr 28, 2015 at 10:44 AM, Plamen K. Kosseff <[email protected]> wrote: > Hello, > > Distro: Gentoo ~amd64 > grub version: grub-2.02_beta2 > > So I have a secure boot enabled system with my own keys. I've signed grub > and the system is bootable. > However grub will happily load any kernel, signed or not, which renders > secure boot useless. > > Is there a way to make grub to load only signed kernels? >
Upstream GRUB does not support secure boot signatures (or signed PE in general). There is support for gpg detached signatures. Distribution carry extra patch(es) to enable secure boot signature verification using shim. You need to check gentoo documentation how to do it. Shim supports enrolling of own keys. _______________________________________________ Help-grub mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-grub
