http://bugzilla.suse.com/show_bug.cgi?id=1136601 http://bugzilla.suse.com/show_bug.cgi?id=1136601#c13 Michael Chang <mchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(guillaume.gardet@ | |arm.com) --- Comment #13 from Michael Chang <mchang@suse.com> --- Hi Guillaume, I renamed the option from --signed-grub to --suse-signed-grub, as conventionally we used suse prefix to distinguish with upstream options. The development of the patch enabling --suse-signed-grub support to grub2-install took place in the obs project.

https://build.opensuse.org/package/show/home:michael-chang:bsc:1136601/grub2

The patch name is grub2-secureboot-add-option-to-install-signed-grub.patch

https://build.opensuse.org/package/view_file/home:michael-chang:bsc:1136601/...

Use tab_size=8 for better viewing of the indention. You can branch from it to build your own test package, or you could use the published repository from the development project for testing.

https://download.opensuse.org/repositories/home:/michael-chang:/bsc:/1136601...

To test installing signed grub, run

grub2-install --suse-signed-grub

or in addition with whatever options you may want to test altogether, for eg "--removable --no-nvram". The pubkey certificate exported from the development project which can be enrolled to Secure Boot's db to validate the signed image is located in

/usr/share/efi/x86_64/grub.der

You may have to refer to firmware's manual for how-to enroll certificates, or the booting will fail with security violation if the grub.der is missing from firmware key store thus not trusted. So far I have done most testing on x64 with Secure Boot enabled, in combination with a handful of different setup to make sure the grub.cfg doing the right thing for the signed grub to find the real grub.cfg in the linux partition. Now it looks to me good enough for new test round on arm64, I planned to do it tomorrow, but we can work in parallel to speed things up. Please help to test on arm64. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.