How to enforce Secure Boot on the following setup : ubunutu 16.04 with grub2

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
0
down vote

favorite












Problem:
Unsigned kernels boot up on UEFI Secure Boot enabled machine



Setup:

OS: Canonical signed Ubuntu 16.04

GRUB2: Canonical signed 2.02~beta2-36ubuntu3.17

SHIM: Microsoft signed, Canonical keys in DB



Normal secure boot works and confirmed via demsg BOOT_IMAGE log to observe *...efi.signed image loads and 'sbverify' to check whether the same is signed with Canonical key.



I intend to disable unsigned kernel load on a UEFI machine with secure boot enabled. I referred to #1401532.
and other links related to the issue.



Is there any way to force only signed kernel load and block all unsigned kernel with the current setup mentioned above ?
with minimal changes in grub.cfg, any patch, etc.



Thanks,
AT




boot grub2 uefi secure-boot




share|improve this question


























    up vote
    0
    down vote

    favorite












    Problem:
    Unsigned kernels boot up on UEFI Secure Boot enabled machine



    Setup:

    OS: Canonical signed Ubuntu 16.04

    GRUB2: Canonical signed 2.02~beta2-36ubuntu3.17

    SHIM: Microsoft signed, Canonical keys in DB



    Normal secure boot works and confirmed via demsg BOOT_IMAGE log to observe *...efi.signed image loads and 'sbverify' to check whether the same is signed with Canonical key.



    I intend to disable unsigned kernel load on a UEFI machine with secure boot enabled. I referred to #1401532.
    and other links related to the issue.



    Is there any way to force only signed kernel load and block all unsigned kernel with the current setup mentioned above ?
    with minimal changes in grub.cfg, any patch, etc.



    Thanks,
    AT




    boot grub2 uefi secure-boot




    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      Problem:
      Unsigned kernels boot up on UEFI Secure Boot enabled machine



      Setup:

      OS: Canonical signed Ubuntu 16.04

      GRUB2: Canonical signed 2.02~beta2-36ubuntu3.17

      SHIM: Microsoft signed, Canonical keys in DB



      Normal secure boot works and confirmed via demsg BOOT_IMAGE log to observe *...efi.signed image loads and 'sbverify' to check whether the same is signed with Canonical key.



      I intend to disable unsigned kernel load on a UEFI machine with secure boot enabled. I referred to #1401532.
      and other links related to the issue.



      Is there any way to force only signed kernel load and block all unsigned kernel with the current setup mentioned above ?
      with minimal changes in grub.cfg, any patch, etc.



      Thanks,
      AT




      boot grub2 uefi secure-boot




      share|improve this question














      Problem:
      Unsigned kernels boot up on UEFI Secure Boot enabled machine



      Setup:

      OS: Canonical signed Ubuntu 16.04

      GRUB2: Canonical signed 2.02~beta2-36ubuntu3.17

      SHIM: Microsoft signed, Canonical keys in DB



      Normal secure boot works and confirmed via demsg BOOT_IMAGE log to observe *...efi.signed image loads and 'sbverify' to check whether the same is signed with Canonical key.



      I intend to disable unsigned kernel load on a UEFI machine with secure boot enabled. I referred to #1401532.
      and other links related to the issue.



      Is there any way to force only signed kernel load and block all unsigned kernel with the current setup mentioned above ?
      with minimal changes in grub.cfg, any patch, etc.



      Thanks,
      AT





      boot grub2 uefi secure-boot





      share|improve this question













      share|improve this question




      share|improve this question








      edited May 16 at 4:29

























      asked May 15 at 14:15









      aditya ece

      12




      12

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "89"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1036553%2fhow-to-enforce-secure-boot-on-the-following-setup-ubunutu-16-04-with-grub2%23new-answer', 'question_page');

          );

          Post as a guest






















          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1036553%2fhow-to-enforce-secure-boot-on-the-following-setup-ubunutu-16-04-with-grub2%23new-answer', 'question_page');

          );

          Post as a guest
































































          -

          Popular posts from this blog

          GRUB: Fatal! inconsistent data read from (0x84) 0+xxxxxx

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite Can anybody help me with this messages at (before) grub starts booting? . . Fatal! inconsistent data read from (0x84) 0+xxxxxx . Fatal! inconsistent data read from (0x84) n+yyyyyy . (hd0,4) This is running in dual boot with windows 7. Both Windows and Ubuntu are running flawlessly, except for this "errors" list. boot grub2 share | improve this question edited Apr 8 at 12:59 Byte Commander 59.4k 26 159 267 asked Apr 8 at 12:56 Viciente 6 1 add a comment  |  up vote 1 down vote favorite Can anybody help me with this messages at (before) grub starts booting? . . Fatal! inconsistent data read from (0x84) 0+xxxxxx . Fatal! inconsistent data read from (0x84) n+yyyyyy . (hd0,4) This is running in dual boot with windows 7. Both Windows and Ubuntu are running flawlessly, except for this "errors" list. boot grub2 share | improve th...
          Read more

          `kcmshell` modules relation with `/usr/share/applications`

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite A Little Background I am using Plasma V 5.5.5 , Qt V 5.5.1 , Kernel 4.4.0-116 , in a 64Bits OS with Kubuntu 16.04. I like the Phonon GUI to test Right and Left speakers separately, so I said, let's add it to the Favorites panel in the KDE dash: a simple drag and drop would do it. I did it, obtaining the following as a response when clicking the icon in the Favorites Panel: There had to be a workaround, I decided to go to the plasma-org.kde.plasma.desktop-appletsrc file, located at /home/toquica/.config , where I would look for the favoritesApps line (the one starting with [Containments][131][Applets][149][Configuration][General] because I am using the Application Dashboard option for the dash) and I actually found the entry: kcm_phonon.desktop . A Problem to a Solution I then decided to go to /usr/share/applications and create the file kcm_phonon.desktop with some information like: [Desktop Entry] Versio...
          Read more

          How to enroll fingerprints to Ubuntu 17.10 with VFS491

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I decided to switch from Windows to Ubuntu 17.10, I meet it like 8 years ago and I didn't decided to switch until now (haha). Well, my actual device is an HP Probook 4540s with a Validity fingerprint sensor (VFS491). The fingerprint sensor worked fine on Windows but I can't get it to work in Ubuntu. The device is recognized as 138a:003d but is not detected as a fingerprint scanner by some apps like Fingerprint GUI. I want to use the fingerprint scanner to log in into my user account in Ubuntu but it doesn't supports fingerprints without special software and the drivers of the fingerprint scanner are available for Windows but not for any Linux distribution. I found something on GitHub (https://github.com/eekpie/libfprint) about the integration of the VFS491 in libfprint and I think it can help but I don't know what to do with it, so that's why I need the help of the community to do it since I am...
          Read more