On 04/17/2017 12:16 PM, Andrei Borzenkov wrote:
Not sure what you mean here. Ubuntu is using the same shim;
Then they are using an older version of shim and/or an older version of grub2-efi. The "grub.cfg" that they use is loading the kernel with "linux" rather than with "linuxefi", so the signature is not checked. I've tested this by replacing their signed kernel with their unsigned kernel, and ubuntu still boots (using the ubuntu shim and secure-boot enabled).
do you imply that Ubuntu shim fakes verification?
No. Canonical fakes verification. They provide a signed kernel, where the signature is not actually verified. On the install screen, they do a song and dance about having to disable secure boot if using a proprietary video driver, which would only matter if kernel and driver signature are checked. But then they don't actually check signatures. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org