grub2 feature request - DRAFT
To be posted against grub2 upstream as well as against Debian.
Please comment on / rewrite / improve this draft.
grub-pc check_signatures=enforce support (BIOS) (non-EFI)
Could you please make it possible to do signature verification with grub-pc too?
We, the maintainers of Linux distributions that primarily run inside VMs (Whonix; Kicksecure) would like to implement verified boot. Not necessarily Secure Boot.
At the moment, there are no tools that can create VM images (with Debian Linux) which support EFI booting. Also, support by virtualizers such as KVM, Xen, VirtualBox for Secure Boot is either non-existing or undocumented.
Another reason is, that inside VMs we don’t necessarily need the complexity of EFI.
Instead we could boot unverified (usual virtual BIOS legacy boot) from a virtual, read-only (write protected) boot medium (such as ISO). That boot loader on the initial boot disk (grub2) could then verify and chainload the boot loader (grub2) on the main disk. In result, we would have a verified boot sequence.