* About grub signing config files
@ 2021-01-01 9:47 Felix Rubio Dalmau
0 siblings, 0 replies; only message in thread
From: Felix Rubio Dalmau @ 2021-01-01 9:47 UTC (permalink / raw)
To: grub-devel
Hi everybody (and happy 2021)!
I have just installed debian stable, with Grub2. I want to make full use of secure boot and kernel/initramfs/grub config files signing, but I have have not been able to find an "already maintained" way to do it.
I think I have come with a minimal set of changes that a) provide the grub config file signing, and b) break nothing (I think), and I want to share them with you so that maybe they can be included in upstream grub? The assumptions are that a) gpg is installed, and b) the default name format for the signature files (so, ending in .sig is used).
In short, it boils down to
a) defining a variable GRUB_SIGNING_KEY with the fingerprint of the key to be used.
b) add this to grub-mkconfig
###########
if [ "x${GRUB_SIGNING_KEY}" != "x" -a "x${grub_cfg}" != "x" ]; then
gpg --yes --default-key ${GRUB_SIGNING_KEY} --detach-sign ${grub_cfg} >&2
echo >&2
fi
###########
c) add another exception for *.sig in the function 'grub_file_is_not_garbage' in grub-mkconfig_lib
What are your comments?
Thank you,
Felix
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-01-01 9:48 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-01 9:47 About grub signing config files Felix Rubio Dalmau
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.