Hi SteveT, GRUB2 has a small kernel, on can always replace that with a full blown signed kernel and this would not introduce another step in the boot procedure.
Edward On 13/06/2016, Edward Bartolo <edb...@gmail.com> wrote: > Hi, > > SteveT wrote: > << > Most of those remaining in the Debian user world are pure idiots. > They'll pull any old pseudofact out of thin air, and state it as an > absolute truth. > > Notice that his web reference's date is October 2012. Last time I > googled this subject (probably 9 months ago), DIY secure boot > overrides, whether involving this Linux Foundation hack or not, were > much more complex than installing Gentoo. They had more steps than an > Arch chroot install. They were a mess. > > I've seen no distro-independent way to defeat secure-boot that was > simple enough for a power user: A guy who can install his own software > via ./configure;make;make install, configure his applications, change > window managers, etc, but is not a professional admin. >>> > > But I still am convinced with a signed kernel one can still use it to > boot any installed OS. My reasoning goes like this: once the signed > kernel boots, it would be in control of the machine. A running kernel > can be used to run any executable provided the latter is coded for the > same machine architecture. So, the boot procedure would first consist > of UEFI loading the signed kernel, the kernel then loads a bootloader > like GRUB*. > > What do you think? It may look an ugly workaround like most > workarounds, but there is no logic why it should fail. > > Edward > > On 13/06/2016, Steve Litt <sl...@troubleshooters.com> wrote: >> On Sun, 12 Jun 2016 18:00:13 +0200 >> Edward Bartolo <edb...@gmail.com> wrote: >> >>> Hi, >>> >>> In line with: << >>> That way only the big distros will be able to provide a bootable OS >>> and the poor DIY guy will be definitely disgusted. This EFI thingy >>> will in no way improve the security. It is a pure fallacy. >>> >>> We can survive as long as the BIOS allows non-EFI boot. I hope >>> they will be forced by law to keep this option. >>> >> >>> >>> I have been 'told' that any kernel can still be booted under UEFI >>> Secure Boot. This was told to me on forurms.debian.net. The respondent >>> insisted any kernel can be booted even custom compiled ones. >>> >>> Refer to forums.debian.net thread: >>> http://forums.debian.net/viewtopic.php?p=609579&sid=c65ab3dc5f980e0c1f79b7b7a5116511#p609579 >>> >>> Edward >> >> Hi Edward, >> >> How can I put this politely? Let's try this... >> >> Most of those remaining in the Debian user world are pure idiots. >> They'll pull any old pseudofact out of thin air, and state it as an >> absolute truth. >> >> Notice that his web reference's date is October 2012. Last time I >> googled this subject (probably 9 months ago), DIY secure boot >> overrides, whether involving this Linux Foundation hack or not, were >> much more complex than installing Gentoo. They had more steps than an >> Arch chroot install. They were a mess. >> >> I've seen no distro-independent way to defeat secure-boot that was >> simple enough for a power user: A guy who can install his own software >> via ./configure;make;make install, configure his applications, change >> window managers, etc, but is not a professional admin. >> >> SteveT >> >> >> SteveT >> >> Steve Litt >> June 2016 featured book: Troubleshooting: Why Bother? >> http://www.troubleshooters.com/twb >> _______________________________________________ >> Dng mailing list >> Dng@lists.dyne.org >> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng >> > _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
