Edward Bartolo <edbarx@???> wrote:
> I think, with a signed Linux kernel, UEFI Secure Boot can be made to
> load any other unsigned Linux kernel, which would imply, any
> distribution would be possible to be booted.
>
> How I imagine it can be done:[list]
> [*]boot partition would contain a signed Linux kernel which UEFI loads
> as soon as the boot sequence starts
> [*]the signed kernel would run a simple program that loads a
> bootloader like GRUB2
> [*]the bootloader would continue as it normally does[/list]
Isn't it the bootloader that UEFI loads and runs, and as long as the bootloader (Grub) is signed, then UEFI should boot it and grub can boot anything you want. Kind of blasts the argument that secure boot is either essential or secure out of the water when you can sign one bit of "insecure"* code and have it load anything.
* Insecure only from the POV of secure boot, where the whole idea relies on every link in the chain being secure.