Anonymous user
UEFI: Difference between revisions
m
→Secure Boot
| [unchecked revision] | [unchecked revision] |
m (added shim description) |
m (→Secure Boot) |
||
Line 79:
Note that UEFI applications are not signed by the PK, unless the PK also happens to be in the KEK.
Not all UEFI firmwares support Secure Boot, although it is a requirement for Windows
An easy way out to use a loader that is signed by Microsoft, and allows you to load another binary signed by a key and certificate owned by you (called MOK, Machine Owner's Key). Such a loader is [https://github.com/rhboot/shim shim], used by RedHat, Fedora, Suse, Ubuntu, Arch and many other distros to load GRUB. The filename of the EFI executable is hardwired in shim, but if you rename your loader to GRUBX64.EFI (or GRUBIA32.EFI), you sign it with your MOK key and certificate using [https://github.com/imedias/sbsigntool sbsigntool], then you can load any loader in Secure Boot you want.
Although some firmware has no options for turning Secure Boot off, thanks to the incompetence of the Microsoft developers they put a huge security flaw in Win8's bootmgr.efi which allows loading of policies that [https://www.xda-developers.com/microsofts-debug-mode-flaw-and-golden-key-leak-allows-disabling-of-secure-boot/ turns off Secure Boot on any computer]. This flaw cannot be patched, because anybody can simply replace a fixed Win10 bootmgr.efi with the original Win8 bootmgr.efi without problems.
===How to use UEFI===
| |||