dunkelstern, 28 days ago

@scy go for it, configuration of that thing is sooo much cleaner than grub (and you can save another entry as the default entry by just pressing "d" in the boot menu)

scy, 28 days ago

@dunkelstern I'll need to roll my own Secure Boot keys in that case though, right? Something I was hoping to avoid.

gd2, 28 days ago

@scy @dunkelstern Wait, how so, is there a pre-signed GRUB? sd-boot should also work with shim if you are referring to that, though I never tried it.

Self-signing is advantageous (in your case) though, as that is probably the only way you can verify your initramfs as well?

scy, 28 days ago

@gd2 @dunkelstern Yes, according to https://wiki.debian.org/SecureBoot#Supported_architectures_and_packages Debian comes with pre-signed GRUB and kernel, shim is also available.

I'm kind of a noob when it comes to how SB works, but the way I understand it, since sd-boot only works with UKIs, I need to combine Debian's signed kernel and initramfs into a UKI and thus self-sign anyway.

gd2, 27 days ago (edited 27 days ago)

@scy @dunkelstern Ah sorry, then I skipped a lot of steps in my initial reply.

So from the wiki page, only shim is signed by Microsoft, the others (including GRUB) are signed by Debian, which tracks with what I know. So the Microsoft signed shim is required if you want to use SB but not roll your own keys, as most consumer hardware has only the Microsoft CA installed and not the Debian one. Instead, shim contains the Debian CA and then verifies the Debian signed GRUB, I believe. [1/3]