On Fri, Oct 26, 2012 at 5:14 PM, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2012-10-26 23:01, Greg Freemyer wrote:
I assume you can do that, but I don't know if DOS will even run a signed kernel. Remember the kernel typically has to be pulled out of the signed container. Don't know how you would do that with 2012 and before operating systems.
Thus it may be that openSUSE 12.2 and older will never run with UEFI Secure Boot systems. (We are beyond my knowledge at this point.)
I think, IIRC, that it is not the kernel that is signed, but the loader, ie grub, or even some other loader that loads grub. Or both.
Remember, the SUSE team wants to enhance the functionality of secure boot, not bypass it. Just using a signed version of Grub would not provide any security over disabling Secure Boot.
From the blog:
https://www.suse.com/blogs/uefi-secure-boot-plan/ == At the implementation layer, we intend to use the shim loader originally developed by Fedora – it’s a smart solution which avoids several nasty legal issues, and simplifies the certification/signing step considerably. This shim loader’s job is to load grub2 and verify it; this version of grub2 in turn will load kernels signed by a SUSE key only. == That is misleadingly simple, but you get the idea. The more detailed blog post is here: https://www.suse.com/blogs/uefi-secure-boot-details/ Feel free to dive in, but the "goal" is to extend secure boot thru grub2 to such that only signed kernels can be booted. If you don't want that, turn it off. (Will Windows 8 run with Secure Boot disabled? I don't know.) Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org