#51164 – Consider to sign default grub font when secure boot is enabled.

Bug 51164 - Consider to sign default grub font when secure boot is enabled.

Summary: Consider to sign default grub font when secure boot is enabled.

Status:	NEW

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	grub (show other bugs)
Version:	unstable
Hardware:	x86_64 Linux

Importance:	P5 minor
Assignee:	Egor Ignatov
QA Contact:	qa-sisyphus

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-08-15 21:00 MSK by Constantin
Modified:	2024-08-30 12:23 MSK (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Constantin 2024-08-15 21:00:55 MSK

It seems that grub does not have a properly signing boot font, when secure boot is enabled.

Steps to reproduce:

1. Enable Secure Boot in your UEFI environment.
2. Install Sisyphus weekly image ordinary way.
3. Try to reboot system and look what grub writes on terminal when booting. In my cases I see:

error: prohibited by secure boot policy

AFAIK these types of errors may shown when font in /boot/grub/fonts/<somefont>.pf2 is unsigned. 

Consider to generate a GPG keypair and enroll public GPG key from that pair directly into grub EFI image. And sign font with private GPG key. /boot/grub/fonts/<somefont>.pf2.sig will be generated. And error should be gone.

Generally, this error does not affect normal boot process. Maybe user should not look at kernel messages when system is booting in some cases. So I think that it is not an important or serious error.

Comment 1 Николай Костригин 2024-08-30 12:23:28 MSK

AFAIK the problem should have been solved in grub-2.06-alt18.
egori@, please, correct me if I'm wrong