On Wed, 2021-03-03 at 18:28 +0100, Daniel Kiper wrote: > On Sun, Feb 28, 2021 at 03:25:04PM -0800, James Bottomley wrote: > > [...] > > > How about a more simple solution: you sign two grub unitary EFI > > binaries, one of which does measured boot and one of which doesn't. > > Your installer is already config file driven, so by default it > > would install the measured boot one, but if there's a failure you > > can tell the user to add the config option to install the > > unmeasured boot one ... this could also be useful for various other > > situations where you want secure but not measured boot? I'm fairly > > certain you could design a distro installer test for the problem > > and thus always install a working system. There's no security > > issue because anyone who does attested measured boot will instantly > > detect someone booting via the signed unmeasured boot grub. > > > > Note: I'm certainly not presenting this as the optimal solution, > > merely the least effort solution that looks like it will work with > > the current grub upstream. > > I think we can do this in much simpler way. Let's use one GRUB Secure > Boot signed image which contains the tpm module embedded. By default > the tpm verifier will ignore UEFI errors and always return > GRUB_ERR_NONE. However, if somebody cares about these errors they can > set, e.g., tpm_err_ignore environment variable in grub.cfg to false. > Then if the TPM UEFI calls fail for any reason machine boot fails. > Does it work for you guys?
It's certainly an acceptable solution. However, I'd prefer the flag be inverted so the boot will fail if the logging does because it means the UEFI firmware in the system has a very unexpected failure that needs reporting. Then any possessor of a failing system can set a flag to allow boot to proceed. James _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
