Open ryanfantus opened 2 years ago
Torxed
commented
2 years ago a specific set of command line arguments at install time
Is this True? Because this feels like a command you could run at any time after a system has been installed, thus "upgrading" it to secure boot?
Secure boot is on my wishlist of things, but I'm not sure this is as required as the description makes it out to be. I might be wrong tho and I'd love to discuss it.
ryanfantus
commented
2 years ago Yeah, basically, GRUB needs to install itself correctly to be able to handle secure boot. I just think configuring it that way by default will alleviate problems for people, and it comes at very little overhead.
Naturally truly using secure boot means enrolling your own keys or using a shim, both of which are well documented. But for some reason the way GRUB needs to be installed in the first place is something I always have to go dig up every time I start over :)
Torxed
commented
2 years ago and it comes at very little overhead
That I understand, but since you can "install" grub post-installation and achieve this. It would only alleviate problems for the few that want secure boot, but install something for everyone that they may never need.
I'm not too familiar with what grub actually does when it these flags.
I know that --modules="tpm" will probably fail on some hardware, and will that work without EFI?
however this may hypothetically pose some security risk
And this shakes me a little bit. We'd need to discuss this further before we start working on it.
Dungeonseeker
commented
1 year ago and it comes at very little overhead
That I understand, but since you can "install" grub post-installation and achieve this. It would only alleviate problems for the few that want secure boot, but install something for everyone that they may never need.
I'm not too familiar with what grub actually does when it these flags. I know that
--modules="tpm"will probably fail on some hardware, and will that work without EFI?however this may hypothetically pose some security risk
And this shakes me a little bit. We'd need to discuss this further before we start working on it.
Has this idea been considered? I'd like to add my support to it since secure boot on linux seems to be largely ignored by everyone.
Not sure how you think it'll install additional unnessecary stuff, just make it an option when selecting grub,
Use Grub: Yes?/No? > Secure Boot: Yes?/No? > CA Keys or shim?
The TPM command will fail on a non UEFI system but then, why would someone not using UEFI choose to install secure boot support anyway?
The modules command simply preloads the listed modules so they can be accessed before unlocking.
5p4r74cu5
commented
8 months ago Use Grub: Yes?/No? > Secure Boot: Yes?/No? > CA Keys or shim?
I second this suggestion, although perhaps if there are concerns about hardware variations causing issues perhaps the secure boot options could be nested inside a submenu in the bootloader menu instead of being a sequential step after selecting grub. This arrangement would avoid users who are not exactly sure what they are doing just choosing yes when they see the word "secure" because secure=good.
That said, although I doubt there will be an apetitie for including such functionality, I would love for archinstall to perform the signing process as well, albeit with an "advanced"/"experimental" feature warning. I've automated signing with sbctl in a script myself without issues. I just scripted something to make sure firmware files arent immutable before signing, as that seems to be the main hardware variable that some users run into.
Hey team,
Basic context is that installing GRUB to use with secure boot will require a specific set of command line arguments at install time.
My suggestion would be to offer a yes/no prompt asking if GRUB should be installed with secure boot capabilities, even though actually configuring secure boot can happen later.
The arguments needed for secure boot support during GRUB install utilizing keys, NOT using the shim, are
The args required for using the shim are
It is possible to combine both of these into one and treat it as a cure-all for any secure boot needs, however this may hypothetically pose some security risk
Thread for context