URL:
<https://savannah.gnu.org/bugs/?56887>
Summary: grub-PC check_signatures=enforce support (non-EFI)
Project: GNU GRUB
Submitted by: adrelanos
Submitted on: Fri 13 Sep 2019 06:09:43 AM UTC
Category: Security
Severity: Major
Priority: 5 - Normal
Item Group: Feature Request
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release:
Release: 2.02~rc1
Reproducibility: Every Time
Planned Release: None
_______________________________________________________
Details:
Could you please make it possible to do signature verification with grub-pc
too?
Rationale:
We, the maintainers of Linux distributions that primarily run inside VMs
(Whonix; Kicksecure) would like to implement verified boot. Not necessarily
Secure Boot.
At the moment, there are no tools that can create VM images (with Debian
Linux) which support EFI booting. Also, support by virtualizers such as KVM,
Xen, VirtualBox for Secure Boot is either non-existing or undocumented.
Another reason is, that inside VMs we don’t necessarily need the
complexity of EFI.
Instead we could boot unverified (usual virtual BIOS legacy boot) from a
virtual, read-only (write protected) boot medium (such as ISO). That boot
loader on the initial boot disk (grub2) could then verify and chainload the
boot loader (grub2) on the main disk. Which then would go on to verify the
kernel. In result, we would have a verified boot sequence.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?56887>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
_______________________________________________
Bug-grub mailing list
Bug-grub@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-grub
