Posted Sep 13, 2012 7:38 UTC (Thu) by skitching (subscriber, #36856)
Parent article: LSS: Secure Boot
The article mentions "signing the bootloader". However GRUB2 isn't a monolithic application; it loads modules from the filesystem. So are all the files in /boot/grub going to be individually signed? If not, then can't I create a new module in /boot/grub, and modify grub.cfg to load it, and thereby take control of the "signed" bootloader?
And how will this affect WUBI, where the Microsoft bootloader is used to boot into Linux? That approach is specifically targeted at non-technical Windows users, ie those least likely to disable secure boot in the firmware.
What are the implications if secure boot is disabled in the firmware, then Windows is booted? Will windows refuse to run (or some programs, eg Microsoft's Genuine Windows validation checks)? If so, can a custom bootloader be used to "lie" to windows about secure-boot being enabled when it actually is not?