On Thu, 24 Sep 2020 at 14:18, Manuel Reimer <mail+archgeneral@xxxxxxxxxxx> wrote: > Hello, > > I want to occasionally run Linux on a system which was set up with > Windows 10 with Bitlocker enabled. > > Disabling secure boot for Linux and reenabling it when booting into > Windows starts to get annoying. > > So my idea was to just use "preloader" and add it to the chain of EFI > binaries to execute. But as Arch gets kernel updates pretty often I am a > bit worried about getting my MokList corrupted at some time as described > here: > > > http://blog.rootserverexperiment.de/2013/06/02/moklist-gesemmelt-boot-unmoglich-moklist-corruptet-boot-impossible/ > > Has anyone ever noticed this problem? How are the hashes stored? If I > update the kernel, will preloader *replace* the hash in MokList or add a > new one? How is this MokList stored? Is this flash memory with limited > write cycles? > Depending on how much you actually value the security of secure boot, you could just add your own DB key (so not a MOK) and sign grub with that key directly rather than using shim. Grub will then happily load any unsigned linux kernel. This is a bug in the shim_lock grub module, but even when it is fixed, you can get grub to ignore secure boot as long as you don't use the shim_lock module. If you actually want to prevent unsigned code from running, you should use shim with a MOK. You only need a single key that you can use to sign your bootloader and kernel images. By using a key for signing, you don't have to add any hashes to the MOK database. So there also shouldn't be much risk of corrupting your MOK database. -- Maarten >
