On Mon, Jul 08, 2019 at 03:24:44PM +0300, Vladislav Yarmak wrote: > First, I should explain why I consider setup with own EFI keys and PGP > signatures not as an exotic configuration but, rather, as the only > feasible use of Secure Boot.
Be all that as it may, since it requires a fair amount of work on the user's side, it cannot be expected to be the common case at the moment. > In the end, this Debian patch to grub contributes to false security > approach and cuts user from normal use of GRUB functionality. It's > clearly a security issue. If no proper solution appeared year > afterwards, probably it is worth to consider rollback of this patch. > So I'm eager to ask: is there any specific plans about this bug? I'm not aware of anyone working on it at the moment. I won't directly revert the patch that introduced this problem because doing so would have too much other fallout, but I'd be happy to help you if you're interested in working on a patch to make GRUB behave differently in the presence of check_signatures while preserving the current default workflow. -- Colin Watson [[email protected]]

