On 04/17/2017 02:47 PM, Andrei Borzenkov wrote:
17.04.2017 21:39, Neil Rickert пишет:
On 04/17/2017 12:16 PM, Andrei Borzenkov wrote:
The "grub.cfg" that they use is loading the kernel with "linux" rather than with "linuxefi", so the signature is not checked.
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1245154 suggests that "linux" loader should call "linuxefi".
I considered that to be a possibility. That's why I tested with an unsigned kernel. And it still booted. But if I changed the "grub.cfg" to use "linuxefi" and "initrdefi", then it failed with an unsigned kernel, but worked with a signed kernel. This was all using the ubuntu NVRAM entry for booting.
The patch that implements the above looks strange indeed. It does attempt to call linuxefi, but if it fails, it is silently ignored. And of course it fails if signature verification fails.
Interesting. But that's from 2013. And they still don't have it working correctly. So I tested, again using the ubuntu NVRAM entry, and editing "grub.cfg" to use "linuxefi" and "initrdefi". And it boots ubuntu with their signed kernel. It boots KaOS with a kernel that I signed. But it also boots opensuse, with a kernel signed by opensuse. That one had me puzzled, but I think your comment explains that. I should add that "mokutil" as run from ubuntu shows two Canonical keys, and shows my own machine owner key. But it does not show any opensuse keys. So it should have failed the opensuse boot. But that still succeeded. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org