Hi everybody (and happy 2021)!
I have just installed debian stable, with Grub2. I want to make full use of
secure boot and kernel/initramfs/grub config files signing, but I have have not
been able to find an "already maintained" way to do it.
I think I have come with a minimal set of changes that a) provide the grub
config file signing, and b) break nothing (I think), and I want to share them
with you so that maybe they can be included in upstream grub? The assumptions
are that a) gpg is installed, and b) the default name format for the signature
files (so, ending in .sig is used).
In short, it boils down to
a) defining a variable GRUB_SIGNING_KEY with the fingerprint of the key to be
used.
b) add this to grub-mkconfig
###########
if [ "x${GRUB_SIGNING_KEY}" != "x" -a "x${grub_cfg}" != "x" ]; then
gpg --yes --default-key ${GRUB_SIGNING_KEY} --detach-sign ${grub_cfg} >&2
echo >&2
fi
###########
c) add another exception for *.sig in the function 'grub_file_is_not_garbage'
in grub-mkconfig_lib
What are your comments?
Thank you,
Felix
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
