On Thu, 24 Sep 2020 at 14:18, Manuel Reimer <mail+archgeneral@m-reimer.de> wrote:
Hello,
I want to occasionally run Linux on a system which was set up with Windows 10 with Bitlocker enabled.
Disabling secure boot for Linux and reenabling it when booting into Windows starts to get annoying.
So my idea was to just use "preloader" and add it to the chain of EFI binaries to execute. But as Arch gets kernel updates pretty often I am a bit worried about getting my MokList corrupted at some time as described here:
http://blog.rootserverexperiment.de/2013/06/02/moklist-gesemmelt-boot-unmogl...
Has anyone ever noticed this problem? How are the hashes stored? If I update the kernel, will preloader *replace* the hash in MokList or add a new one? How is this MokList stored? Is this flash memory with limited write cycles?
Depending on how much you actually value the security of secure boot, you could just add your own DB key (so not a MOK) and sign grub with that key directly rather than using shim. Grub will then happily load any unsigned linux kernel. This is a bug in the shim_lock grub module, but even when it is fixed, you can get grub to ignore secure boot as long as you don't use the shim_lock module. If you actually want to prevent unsigned code from running, you should use shim with a MOK. You only need a single key that you can use to sign your bootloader and kernel images. By using a key for signing, you don't have to add any hashes to the MOK database. So there also shouldn't be much risk of corrupting your MOK database. -- Maarten