17.04.2017 21:39, Neil Rickert пишет:
On 04/17/2017 12:16 PM, Andrei Borzenkov wrote:
Not sure what you mean here. Ubuntu is using the same shim;
Then they are using an older version of shim and/or an older version of grub2-efi.
The "grub.cfg" that they use is loading the kernel with "linux" rather than with "linuxefi", so the signature is not checked.
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1245154 suggests that "linux" loader should call "linuxefi".
I've tested this by replacing their signed kernel with their unsigned kernel, and ubuntu still boots (using the ubuntu shim and secure-boot enabled).
The patch that implements the above looks strange indeed. It does attempt to call linuxefi, but if it fails, it is silently ignored. And of course it fails if signature verification fails. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org