You'd have to write some code for both grub2 and shim. Grub2 doesn't
actually do the authentication itself, it calls back to shim to do that.
And shim is looking in two databases for certs/hashes.
You'd probably need to rebuild shim with your personal key embedded,
and modified to always verify. Then you'd need to modify grub2 to
always call shim to do verification and install that. I honestly have
no idea how difficult that would be.
Looks complicated - I'll keep that option in mind as "plan B" if I get
stuck and my "plan A" is not feasible!
It's carried in the patchset and put in
Documentation/kernel-parameters.txt. It's called "secureboot_enable=".
Brilliant, thanks!
You should be able to disable Secure Boot in the firmware, and reboot
back into setup mode. It should allow you to delete all the existing
keys at that point. Though you'd actually need to have a machine that
has Secure Boot implemented in the first place.
Aha! I wasn't aware of that (it tells me I could disable it, but I
wasn't aware that I could delete all the keys... nice!).
You can. In order to be specification compliant, the machine needs to
allow you to disable Secure Boot.
That is indeed the case!
Once that's done, it'll enter setup
mode. Once in that mode, I believe there are even some open source
tools that will help you enroll keys, etc.
I'll dig that up when I have more time. If I could manage to get that
working the rest should fall into place quite easily and I won't need to
mess around with shim/grub2. Thanks for that Josh, much appreciated!
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
