Il 08/12/2016 12:31, Andrei Borzenkov ha scritto: > > I understand that this needs clarification. > > GRUB itself is completely Secure Boot agnostic - if you sign binary it > will likely work and will be able to also chainload other signed > binaries as long as firmware accepts them. > > What it does not support is explicit signature verification using > popular shim protocol which can be considered bypassing firmware check > entirely. >
Ok, I see... A (I suppose stupid) question: using Preloader should not affect it, right? Preloader enrolls the binary of grub as valid so it can be started; but, by that logic, it says nothing to grub about which binaries can be chainloaded. Isn't it? I am pretty ignorant from this point of view, I am sorry about it. > > https://bugzilla.opensuse.org/show_bug.cgi?id=954126#c6 > Thanks for the link! I've donwloaded the grub2 sources for OpenSUSE Tumbleweed (which seems works now, from the follow up comments in your link) and I was checking the Secure Boot patches. I think that the most relevant of them is the one named 'grub2-secureboot-chainloader'. Not sure 100% though. Additionally, I don't know if have ever seen some ArchLinux packaging stuff; the build is done with the following git tags: _GRUB_GIT_TAG="grub-2.02-beta3" _GRUB_EXTRAS_COMMIT="f2a079441939eee7251bf141986cdd78946e1d20" I was thinking I can add some of the OpenSUSE patches to the Arch build to add the missing support for SB. -- Giovanni Santini My blog: http://giovannisantini.tk My code: https://git{hub,lab}.com/ItachiSan My GPG: 2FADEBF5 _______________________________________________ Help-grub mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-grub
