Announcement

Collapse
No announcement yet.

GRUB Bootloader Picks Up A Verifier Framework For Secure Boot, TPM, PGP Verification

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GRUB Bootloader Picks Up A Verifier Framework For Secure Boot, TPM, PGP Verification

    Phoronix: GRUB Bootloader Picks Up A Verifier Framework For Secure Boot, TPM, PGP Verification

    Landing in the GRUB boot-loader minutes ago is a new "verifiers" framework providing core verification functionality for the likes of UEFI Secure Boot, Trusted Platform Modules, and PGP...

    http://www.phoronix.com/scan.php?pag...iers-Framework

  • #2
    does this verification framework allow to verify the integrity of GRUB itself (or 'only' the things GRUB starts)? Currently there is one solution for that https://github.com/xmikos/cryptboot which uses SecureBoot to verify GRUB before(!) a password is entered for an encrypted boot partition. It would be nice to couple that with TPM.

    Comment


    • #3
      First thing I do is remove Grub on any install and blank the MBR just to make sure it's gone.

      Grub on my laptop doesn't seem to use the framebuffer correctly, meaning I see it 4x. Swapped with Refind, works fine, boots faster and don't need to touch it when I'm swapping distros or kernels. I'm still amazed it's the default bootloader on UEFI systems because it nullifies some of the advantages of UEFI.

      Comment


      • #4
        Actually on UEFI laptops (everything modern?) it's possible to boot Linux kernel directly as an EFI application (EFISTUB). This can be additionally signed to work with SecureBoot avoiding the GRUB/bootloader entirely.

        Comment


        • #5
          Actually what I would like to see is easier systemd-boot usage on Ubuntu. Currently it require is getting rid of GRUB2 somehow and then (even on Arch, not only on Ubuntu) setting up systemd-boot with some custom script that should update kernel image on esp after kernel package upgrade. IMO such things should be easier.

          Comment


          • #6
            I dropped grub a couple years ago when they told me they wouldn't upgrade their zfs support to the current revision.

            Comment


            • #7
              Originally posted by some_canuck View Post
              I dropped grub a couple years ago when they told me they wouldn't upgrade their zfs support to the current revision.
              I'm in a situation where I don't have a UEFI system and I use ZFS on Root. I'm currently using Grub but I'd like to change to something else where I won't have to move /boot to a restricted ZFS drive for Grub and the rest of /(root) on a more modern ZFS drive that supports encryption, dedup, and other features that Grub doesn't support.

              Anyone have any ideas that I could try? It's been a long time since I've looked into bootloaders so I'm not sure what the best solution is for ZFS on Root without UEFI.

              Comment


              • #8
                My last fuckup was upgrading the root zfs pool to features unsupported by grub cause of licenses or whatever , started by backing the pool in order to recreate it with the def config, then I just got lazy and put the boot partition on a flash drive

                Comment


                • #9
                  So how does this mend with the GPL3, that requires users to be able to replace it?
                  Is there a requiref backdoor/off switch making the 'secure' part a joke, are the hashes/certificates provided to sign your replacement (pushing the relevant secret in the open). Or will anyone using it be required to setup a service to sign any replacements?

                  I can't see how a secure chain be maintained if you are legally required that 3rd parties can replace a part of that chain

                  Comment


                  • #10
                    Originally posted by discordian View Post
                    So how does this mend with the GPL3, that requires users to be able to replace it?
                    Is there a requiref backdoor/off switch making the 'secure' part a joke, are the hashes/certificates provided to sign your replacement (pushing the relevant secret in the open). Or will anyone using it be required to setup a service to sign any replacements?

                    I can't see how a secure chain be maintained if you are legally required that 3rd parties can replace a part of that chain
                    sorry wtf is this? GPL3 grants that to users, if you don't own the system or you have no permission from the owner/admin you are not a user. Are you confusing it with the Affero GPL license?

                    Comment

                    Working...
                    X