I guess for VMs the Secure Boot key deployment happens on the host? Can’t be done after VM import? At least on Whonix Host should be possible in theory to (re)create Secure Boot keys.
Why not use use prebuild linux-unsigned from Debian and sign it?
(Only reason against it is a custom kernel - kernel recompilation for better hardening - but that does not look too likely mid term and is offtopic here.)
That is why the title of this thread is
- enable Linux kernel gpg verification in grub and/or
- enable Secure Boot by default
So even if we don’t figure out how to use SecureBoot and “only” figure out how to use UEFI we might be able to “enable Linux kernel gpg verification in grub”. Even without UEFI we might be able to “enable Linux kernel gpg verification in grub” - I haven’t found out if grub-pc (i.e. not grub-efi) is capable of signature verification.
Yes. Might reach same protection in VMs.
I was talking about VMs here. For VMs the only thing needed in theory:
- use shim-unsigned package from Debian and sign it with user [or distribution key]
- use grub-signed and linux-signed from Debian
- configure Secure Boot of VM to use user [or distribution] key
Custom Secure Boot key seems much easier to use in VMs - at least for Whonix Host - since there we should have capability to influence which keys are used by Secure Boot and because Debian used a nice modular implementation.
However at first boot of Whonix Host, ideally shim-unsigned, grub-unsigned, and linux-unsigned would all be automated, signed with user auto generated key.