Re: GRUB can't chainload Windows under Secure Boot

[Giovanni Santini]

Il 08/12/2016 12:31, Andrei Borzenkov ha scritto:
> 
> I understand that this needs clarification.
> 
> GRUB itself is completely Secure Boot agnostic - if you sign binary it
> will likely work and will be able to also chainload other signed
> binaries as long as firmware accepts them.
> 
> What it does not support is explicit signature verification using
> popular shim protocol which can be considered bypassing firmware check
> entirely.
> 

Ok, I see...
A (I suppose stupid) question: using Preloader should not affect it, right?
Preloader enrolls the binary of grub as valid so it can be started;
but, by that logic, it says nothing to grub about which binaries can
be chainloaded. Isn't it?

I am pretty ignorant from this point of view, I am sorry about it.

>
> https://bugzilla.opensuse.org/show_bug.cgi?id=954126#c6
> 

Thanks for the link!

I've donwloaded the grub2 sources for OpenSUSE Tumbleweed (which seems
works now, from the follow up comments in your link) and I was checking
the Secure Boot patches. I think that the most relevant of them is the
one named 'grub2-secureboot-chainloader'. Not sure 100% though.


Additionally, I don't know if have ever seen some ArchLinux packaging
stuff; the build is done with the following git tags:
_GRUB_GIT_TAG="grub-2.02-beta3"
_GRUB_EXTRAS_COMMIT="f2a079441939eee7251bf141986cdd78946e1d20"


I was thinking I can add some of the OpenSUSE patches to the Arch build
to add the missing support for SB.

-- 
Giovanni Santini
My blog: http://giovannisantini.tk
My code: https://git{hub,lab}.com/ItachiSan
My GPG: 2FADEBF5