Comment # 13 on bug 1136601 from Michael Chang

Hi Guillaume,

I renamed the option from --signed-grub to --suse-signed-grub, as
conventionally we used suse prefix to distinguish with upstream options.

The development of the patch enabling --suse-signed-grub support to
grub2-install took place in the obs project.

> https://build.opensuse.org/package/show/home:michael-chang:bsc:1136601/grub2

The patch name is grub2-secureboot-add-option-to-install-signed-grub.patch

> https://build.opensuse.org/package/view_file/home:michael-chang:bsc:1136601/grub2/grub2-secureboot-add-option-to-install-signed-grub.patch?expand=1

Use tab_size=8 for better viewing of the indention.

You can branch from it to build your own test package, or you could use the
published repository from the development project for testing.

> https://download.opensuse.org/repositories/home:/michael-chang:/bsc:/1136601/openSUSE_Factory_ARM

To test installing signed grub, run

> grub2-install --suse-signed-grub

or in addition with whatever options you may want to test altogether, for eg
"--removable --no-nvram".

The pubkey certificate exported from the development project which can be
enrolled to Secure Boot's db to validate the signed image is located in

> /usr/share/efi/x86_64/grub.der

You may have to refer to firmware's manual for how-to enroll certificates, or
the booting will fail with security violation if the grub.der is missing from
firmware key store thus not trusted.

So far I have done most testing on x64 with Secure Boot enabled, in combination
with a handful of different setup to make sure the grub.cfg doing the right
thing for the signed grub to find the real grub.cfg in the linux partition. Now
it looks to me good enough for new test round on arm64, I planned to do it
tomorrow, but we can work in parallel to speed things up.

Please help to test on arm64. Thanks.