On Sun, Feb 28, 2021 at 03:25:04PM -0800, James Bottomley wrote: [...]
> How about a more simple solution: you sign two grub unitary EFI > binaries, one of which does measured boot and one of which doesn't. > Your installer is already config file driven, so by default it would > install the measured boot one, but if there's a failure you can tell > the user to add the config option to install the unmeasured boot one > ... this could also be useful for various other situations where you > want secure but not measured boot? I'm fairly certain you could design > a distro installer test for the problem and thus always install a > working system. There's no security issue because anyone who does > attested measured boot will instantly detect someone booting via the > signed unmeasured boot grub. > > Note: I'm certainly not presenting this as the optimal solution, merely > the least effort solution that looks like it will work with the current > grub upstream. I think we can do this in much simpler way. Let's use one GRUB Secure Boot signed image which contains the tpm module embedded. By default the tpm verifier will ignore UEFI errors and always return GRUB_ERR_NONE. However, if somebody cares about these errors they can set, e.g., tpm_err_ignore environment variable in grub.cfg to false. Then if the TPM UEFI calls fail for any reason machine boot fails. Does it work for you guys? Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
