How would I go about installing the "shim"? Thanks, Federico
On November 22, 2023 1:59:53 AM GMT+01:00, Randy Goldenberg <[email protected]> wrote: >https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-with-secure-boot.md > >On Tue, Nov 21, 2023 at 3:14 PM Federico Angelilli <[email protected]> wrote: > >> Hello, >> A few months ago I decided to turn on secure boot on my dual os desktop, >> mainly due to some SB related shenanigans in Windows 11. >> After a (fairly long) session of trial and error, I finally got >> everything to work like this: >> 1) Whenever my kernel is built (I'm using a custom kernel) sign it with >> the right SB key >> 2) When updating grub, sign it with the SB key as well >> >> Everything now works: I can boot with SB enabled to grub, then I can >> either choose to use the linux signed kernel or the windows chainloader. >> Except for a small detail: I can boot even from the unsigned kernels. >> While I first thought of it as an error on my configuration, I turned out >> to >> be a shortcoming in grub itself (as far as I understand), that simply >> cannot verify sb signatures on its own. >> >> So, how can I set up grub in a way that I can: >> 1) boot with secure boot enable to the grub menu >> 2) only boot from entries that are signed themselves >> >> Thanks, >> Federico >> >> >>
