fai-cd: add secureboot capability for AMD64#134
fai-cd: add secureboot capability for AMD64#134insatomcat wants to merge 1 commit intofaiproject:masterfrom
Conversation
insatomcat
force-pushed
the
secureboot
branch
2 times, most recently
from
76c48f4 to
3ec0442
Compare
insatomcat
changed the title
grub-mkstandalone generates a grub efi program on the fly and so it can't be signed, and so it can't be booted on systems with secureboot. This is a proposal to have fai-cd capable of generating .iso files with secureboot capability. The idea is to use the official secureboot loader (shim) which is signed and to give it the grub config. Signed-off-by: Florent Carli <florent.carli@rte-france.com>
insatomcat
force-pushed
the
secureboot
branch
from
3ec0442 to
a681a22
Compare
|
I like to know if it's possible to boot such an ISO also without secure boot enabled. Or do we need a switch to enable or disable the inclusion of shim in the ISO? |
|
Yes, this works fine without Secure Boot enabled. Including shim in the ISO does not prevent booting on systems where Secure Boot is disabled. In that case, the firmware will simply execute shim as a normal EFI application, and shim will in turn chainload GRUB exactly the same way as it does when Secure Boot is enabled (just without signature verification being enforced by the firmware). So you don’t need a separate switch or two different ISOs. A single ISO that includes shim + signed GRUB will boot both on Secure Boot–enabled systems and on systems with Secure Boot disabled. This is the standard approach used by most distributions for their install media. |
2 participants
grub-mkstandalone generates a grub efi program on the fly and so it can't be signed, and so it can't be booted on systems with secureboot.
This is a proposal to have fai-cd capable of generating .iso files with secureboot capability.
The idea is to use the official secureboot loader (shim) to load the signed grub program and to give it the grub config at runtime.