--
You received this message because you are subscribed to the Google Groups "Android-x86" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-x86...@googlegroups.com.
To post to this group, send email to andro...@googlegroups.com.
Visit this group at https://groups.google.com/group/android-x86.
For more options, visit https://groups.google.com/d/optout.
If you really care so much about secure boot, you should really get a spare system for testing Android.
(or reduce your virus fear level...)
If you really care so much about secure boot, you should really get a spare system for testing Android.
I don't want to test Android on my machine, there are plenty of testers already, I want to use it.
(or reduce your virus fear level...)
Too much is better than too little
Well then wait until someone provides a signed kernel.
Or just use what is available.
Well, all secure boot really does is prevent you from booting stuff not signed by MS. It is not an antivirus.
Well then wait until someone provides a signed kernel.
Or just use what is available.
I'm gonna cite myself:
"Also, on the next release, signing the kernel and the initramd.img [...] would be great"
Well, all secure boot really does is prevent you from booting stuff not signed by MS. It is not an antivirus.
Wrong, secure boot is fully customizable (You can add your own keys) and specified in the UEFI Specification, it is just that almost all computers includes Windows and therefore where configure to boot Windows with Secure Boot activated. Almost all Linux distros uses secure boot. It is not an antivirus, I agree, but it is a good protection for virus trying to infiltrate the boot process
Making Android compatible with Secure Boot would allow to install and boot it on ARM computers, the secure boot and it's database being locked at it's default on those.
Then what prevents you from making your own keys and signing ?
This is an FOSS project and things are only done when there's a demand for them.
If there aren't many users who need Secure Boot support (and I think most users don't really care about it), nobody will bother supporting it.
You mean Windows RT ? I think those systems are locked to MS signed stuff and there's no MS signed GRUB available for ARM.
Also, this project targets the x86 architecture (hence the name, Android x86), not ARM.
Then what prevents you from making your own keys and signing ?
1. HP badly made their BIOS
2. I prefer having all already set up and ready to boot after install
3. I only have a live Linux distro and messing with things out of an OS means a lot of restarts, long Wi-fi password typing and installs.
This is an FOSS project and things are only done when there's a demand for them.
If there aren't many users who need Secure Boot support (and I think most users don't really care about it), nobody will bother supporting it.
Come on, it's not complicated:
Download and add shim as \EFI\Boot\bootx64.efi
Download and add Canonical's signed GRUB to \EFI\Boot\grubx64.efi
And do the same thing while installing GRUB2 EFI
If Chih-Wei Huang was able to add GRUB to its IMG and installer, he does the exact same thing, but with two files instead of one. And prevent future Secure Boot-locked user complaining about Secure Boot (because Microsoft might decide to force OEMs to lock Secure Boot to have their discounts on Windows keys and their nice little "Windows" sticker). There's already a patch about that, it's on the rails for being pulled.
You mean Windows RT ? I think those systems are locked to MS signed stuff and there's no MS signed GRUB available for ARM.
There's now Windows 10 tablet with an ARM architecture, and here's why shim was made: Making users with computers for Windows allow to keep secure boot on and boot something else. Shim is signed by Microsoft and allows to boot anything in the same folder name "grubx64.efi" if it is signed by a key in it's MOK (Canonical's CA is included by default on it). Once the first stage is loaded by the EFI system, it doesn't make any other check and thus allows to boot GRUB on a Surface RT, the only problem is to have version of GRUB and shim for ARM.
Also, this project targets the x86 architecture (hence the name, Android x86), not ARM.
*Facepalm* ... Android was originally for ARM. But some users managed to make a version bootable on ARM computers.
--
I agree with Povilas, disabling secure boot isn't going to make your device any less secure.
However, if we can add secure boot support, then it should be considered - but only since there are some Atom-based tablets that can't disable secure boot that we would be able to support in the process.
"the only problem is to have version of GRUB and shim for ARM"
I don't thing we're ever going to have those. Unless MS changes their mind.
Since when Sony Vaio Tap 11 is an ARM computer ?
Working ARM means that Houdini translator is included to allow ARM apps to run.
Hi Luke,
Do you have any update about the secure boot support?
I think we have a ticket for it but I couldn't find it now.
--
Chih-Wei
Android-x86 project
http://www.android-x86.org
We still use a unsigned kernel, right?
I remember you said to support self-signed kernels,
a x509 certificate will need to be created, used to sign the kernel
and added to bootx64.efi and grubx64.efi's key db.
Are you working on this?
Then please create a ticket for it.
We still use a unsigned kernel, right?
I remember you said to support self-signed kernels,
a x509 certificate will need to be created, used to sign the kernel
and added to bootx64.efi and grubx64.efi's key db.
Secure boot is working fine for x64 systems. x86 systems are unsupported due
to Canonical not having a signed x86 grub.