[Whonix-devel] Bug#939188: grub-PC check_signatures=enforce support (non-EFI)

Patrick Schleizer adrelanos at riseup.net
Mon Sep 2 07:46:00 CEST 2019

Package: grub2
Severity: wishlist
X-Debbugs-CC: whonix-devel at whonix.org

Could you please make it possible to do signature verification with
grub-pc too?


We, the maintainers of Linux distributions that primarily run inside VMs
(Whonix; Kicksecure) would like to implement verified boot. Not
necessarily Secure Boot.

At the moment, there are no tools that can create VM images (with Debian
Linux) which support EFI booting. Also, support by virtualizers such as
KVM, Xen, VirtualBox for Secure Boot is either non-existing or undocumented.

Another reason is, that inside VMs we don’t necessarily need the
complexity of EFI.

Instead we could boot unverified (usual virtual BIOS legacy boot) from a
virtual, read-only (write protected) boot medium (such as ISO). That
boot loader on the initial boot disk (grub2) could then verify and
chainload the boot loader (grub2) on the main disk. Which then would go
on to verify the kernel. In result, we would have a verified boot sequence.

More information about the Whonix-devel mailing list