[opensuse-buildservice] linked grub2 package - secure boot failure
I am working on a grub2 patch and build a branched grub2 from Base:System / grub2 in my home project. It compiles/publishes and works fine but secure boot does not work when this grub2 package is installed. I understand that each rpm is signed with a specific key for the corresponding project, but I do not understand how this causes secure boot to fail. I would like to understand what causes this. Thanks in advance, Damian -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am 19.04.20 um 22:49 schrieb Damian Ivanov:
I am working on a grub2 patch and build a branched grub2 from Base:System / grub2 in my home project.
It compiles/publishes and works fine but secure boot does not work when this grub2 package is installed.
I understand that each rpm is signed with a specific key for the corresponding project, but I do not understand how this causes secure boot to fail.
I would like to understand what causes this.
Hi, Secure boot means a chain of trust - the BIOS has a key from Microsoft, shim is signed with that, so the BIOS loads shim. Shim in return contains openSUSE keys so it will load what's signed with openSUSE keys. Your grub is not signed with openSUSE key, so it's not trusted. -> For your patched grub to work on secure boot, you need to compile shim also (and very likely also the kernel) with your key and then tell your BIOS to trust it. Greetings, Stephan -- Lighten up, just enjoy life, smile more, laugh more, and don't get so worked up about things. Kenneth Branagh -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hello Stephan, Thank you for the information. Have a great day. On Mon, Apr 20, 2020 at 8:34 AM Stephan Kulow <coolo@suse.de> wrote:
Am 19.04.20 um 22:49 schrieb Damian Ivanov:
I am working on a grub2 patch and build a branched grub2 from Base:System / grub2 in my home project.
It compiles/publishes and works fine but secure boot does not work when this grub2 package is installed.
I understand that each rpm is signed with a specific key for the corresponding project, but I do not understand how this causes secure boot to fail.
I would like to understand what causes this.
Hi,
Secure boot means a chain of trust - the BIOS has a key from Microsoft, shim is signed with that, so the BIOS loads shim. Shim in return contains openSUSE keys so it will load what's signed with openSUSE keys. Your grub is not signed with openSUSE key, so it's not trusted.
-> For your patched grub to work on secure boot, you need to compile shim also (and very likely also the kernel) with your key and then tell your BIOS to trust it.
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (2)
-
Damian Ivanov -
Stephan Kulow