I'm the author of that secure boot package. I think you might misunderstand... what it does is put all the grub config etc into a signed initramfs. So you cannot change the grub.cfg. Also, to sign the binaries you need the GPG keyring and the passphrase.
The objective is to *not* use the shipped trusted microsoft key. The only key in the UEFI keystore is our own chain of trust. So The goal is to *not* use shim. It is used in conjunction w/ full disk encryption. The only file unencrypted is a single grub w/ the ininitramfs, and that is in turn signed. The kernel, etc, are all on the encrypted disk. Thus they cannot be tampered with by e.g. removing the disk etc. Installing shim means adding someone else trust, which I don't accept. I'm not sure what "don't support secure boot without shim" means, but I don't think that can or should be true. It doesn't support booting the Microsoft signed keys w/o shim, but, its certainly legal to remove the Microsoft keys from the BIOS and still use secureboot. as for the check_signatures=no, I'm ok if that is removed as a feature I guess, but it would need to be removed from the documentation. In my case its not a reduction in security (since you cannot change the grub.cfg w/o having the trust chain anyway). so tldr: * no, shim is not required to support secureboot * yes, you can self sign securely * no, merely having an option in grub.cfg or grub cmdline to disable subsequent checks need not reduce the security, as long as it is gated by being in a signed initramfs (and grub password is as strong as bios password) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890672 Title: secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1890672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
