linux-luks-tpm-boot icon indicating copy to clipboard operation
linux-luks-tpm-boot copied to clipboard

Published 20 hours ago verified publisher icon morbitzer

TrustedGRUB2 deprecated

Open 0xc0fed00d opened this issue 3 years ago • 2 comments

Hi,

I just came across your very extensive guide. I'd happily tried it out, but unfortunately the TrustedGRUB2 team decided to deprecate the project just about three weeks ago. Maybe you're aware of some alternative?

Best, Simon

0xc0fed00d avatar Oct 20 '21 13:10 0xc0fed00d

Hi, No, unfortunately I am not. Maybe you find something in the discussion of closed issues?

I'll be happy to hear if you figure out something!

morbitzer avatar Oct 20 '21 14:10 morbitzer

ccharon/debian-secure-boot might be a solution. It's written for buster so some of its packaging infrastructure's a little old. It might warrant an examination of the GRUB scripts to see if they need some updates. GRUB nowadays can read LUKS2 encrypted /boot, but if you signed your new kernel and initramfs for your machine, as well as the versions of grub and grub's modules, the entire boot chain can be verified to have been the one you authorized, possibly to the point of removing/revoking the Microsoft keys installed by default, if you wish to do that.

Backups, generating rescue media, safeguarding the rescue media, etc. all becomes very important if you want to take that as far as it can go, but the option exists.

knghtbrd avatar Nov 07 '22 08:11 knghtbrd