This is what it usually happens in a Secure Boot scenario:
- UEFI Firmware loads up /BOOT/BOOTX64.EFI
- BOOTX64.EFI (shim) is loaded. (Signed by Microsoft)
- GRUBX64.EFI (Grub) is loaded. (Signed by Debian)
- Kernel is loaded. (Signed by Debian)
... if any of the previous signatures are not valid... Secure Boot
refuses to boot everything.
So when I say that SuperGrub SecureBoot support is based on Debian
binaries I'm actually saying that I'm using their signed binaries for
shim and grub.
I'm also using the Ubuntu ones. So... with SG2D you can boot
SecureBoot signed Debian kernels and SecureBoot signed Ubuntu kernels
on a
SecureBoot enabled UEFI Firmware. (As long as those shim and grub
binaries signatures are not revoked according to the UEFI's SBAT)
You can boot any system with a MOK Machine Owner Key that is added to
the EFI variables by mok manager tool.
In your scenario, shim launches mokmanager in which you can add any
kernel and any boot manager to efi variables.
At least for my Arch Linux setup this works fine with fedora's shim. I
think Ventoy also uses this method for booting anything.
Best regards
tpowa
--
Tobias Powalowski
Arch Linux Developer (tpowa)
https://www.archlinux.org
tp...@archlinux.org
Archboot Developer
https://archboot.com
St. Martin-Apotheke
Herzog-Georg-Str. 25
89415 Lauingen
https://www.st-martin-apo.de
i...@st-martin-apo.de
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
