[arch-general] Can anyone share experience with "preloader" on Arch (UEFI secure boot)?
Maarten de Vries
maarten at de-vri.es
Sat Sep 26 12:10:39 UTC 2020
On Thu, 24 Sep 2020 at 14:18, Manuel Reimer <mail+archgeneral at m-reimer.de>
wrote:
> Hello,
>
> I want to occasionally run Linux on a system which was set up with
> Windows 10 with Bitlocker enabled.
>
> Disabling secure boot for Linux and reenabling it when booting into
> Windows starts to get annoying.
>
> So my idea was to just use "preloader" and add it to the chain of EFI
> binaries to execute. But as Arch gets kernel updates pretty often I am a
> bit worried about getting my MokList corrupted at some time as described
> here:
>
>
> http://blog.rootserverexperiment.de/2013/06/02/moklist-gesemmelt-boot-unmoglich-moklist-corruptet-boot-impossible/
>
> Has anyone ever noticed this problem? How are the hashes stored? If I
> update the kernel, will preloader *replace* the hash in MokList or add a
> new one? How is this MokList stored? Is this flash memory with limited
> write cycles?
>
Depending on how much you actually value the security of secure boot, you
could just add your own DB key (so not a MOK) and sign grub with that key
directly rather than using shim. Grub will then happily load any unsigned
linux kernel. This is a bug in the shim_lock grub module, but even when it
is fixed, you can get grub to ignore secure boot as long as you don't use
the shim_lock module.
If you actually want to prevent unsigned code from running, you should use
shim with a MOK. You only need a single key that you can use to sign your
bootloader and kernel images. By using a key for signing, you don't have to
add any hashes to the MOK database. So there also shouldn't be much risk of
corrupting your MOK database.
-- Maarten
>
More information about the arch-general
mailing list