В Fri, 27 Mar 2015 13:04:04 -0600
Chris Murphy
On Fri, Mar 27, 2015 at 11:51 AM, Andrei Borzenkov
wrote: Secure Boot chainloading of the Windows bootloader does not need any patches. It is signed and will pass verification when loaded by standard EFI chainloader. Patches are needed to allow loading of non-signed (at least, by Microsoft or in general signed by keys unknown to firmware) EFI executable.
https://build.opensuse.org/package/view_file/openSUSE:Factory/grub2/grub2-se...
With Secure Boot enabled, openSUSE GRUB's Windows menu entries work.
On Fedora and Ubuntu, they don't work, unless Secure Boot is disabled and then the menu entries work. https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464 https://bugzilla.redhat.com/show_bug.cgi?id=1170245
I built grub (using current upstream sources), created and enrolled my key (see https://en.opensuse.org/openSUSE:UEFI), signed built grub by this key and tried to reproduce it (shim - grub - chainloader). This is upstream version so it does not include openSUSE key. I cannot reproduce it. As long as firmware accepts EFI image (without security violation) grub can load and launch the same image. I did observe the same error in two cases - image is not valid EFI executable (like bootmgr.efi) or image fails signature verification. I did have problems initially, because OVMF image does not include Microsoft PK in signature database by default and Microsoft bootloader appears to be signed by it. So it failed signature verification itself. I had to enroll Microsoft PK into db to make it work. May be there is some bug lurking in older grub versions, although last commit to efi chainloader is almost one and half years ago. We cannot exclude bugs in distro-specific grub patches. May be firmware implementations behave differently when launching EFI binary directly from EFI boot manager and when loading it using LoadImage API. It's possible that OVMF misbehaves here (e.g. it allows me to enroll custom verification key that is not itself signed by KEK). I would very interested to see full values of PK, KEK and db EFI variables from systems affected by mentioned bugs for a start. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org