mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-05-07 02:08:20 +00:00
meta-efi-secure-boot/README: update to reflect using fallback to chainloader SELoader
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
@@ -10,11 +10,15 @@ chainloader the next stage bootloader with the integrity check using the
|
||||
shim-managed certificates corresponding to another set of trusted keys, which
|
||||
may be different than the trusted keys used by UEFI Secure Boot.
|
||||
|
||||
In addition, this layer introduces the SELoader as the second-stage bootloader
|
||||
and eventually chainliader to the third-stage bootloader "grub". With the
|
||||
extension provided by SELoader, grub configuration files, kernel (even without
|
||||
EFI stub support) and initrd can be authenticated. This capability is not
|
||||
available in the shim bootloader.
|
||||
fallback is the second-stage bootloader used to by-pass the Red Hat shim
|
||||
signing review. It is designed to read a .csv file and will create a boot
|
||||
option in BIOS boot manager for the first boot entry in .csv.
|
||||
|
||||
This layer introduces the SELoader as the third-stage bootloader and eventually
|
||||
chainliader to the fourth-stage bootloader "grub". With the extension provided
|
||||
by SELoader, grub configuration files, kernel (even without EFI stub support)
|
||||
and initrd can be authenticated. This capability is not available in the shim
|
||||
bootloader.
|
||||
|
||||
Grub bootloader is also enhanced to support lockdown mode. In this mode, the
|
||||
edit, rescue and command line are protected in order to prevent from
|
||||
@@ -31,11 +35,12 @@ A complete boot flow looks like as following:
|
||||
|
||||
- UEFI firmware boot manager (UEFI Secure Boot enabled) ->
|
||||
- shim (verified by a DB certificate) ->
|
||||
- SELoader (verified by a shim-managed certificate) ->
|
||||
- grub (verified by a shim-managed certificate) ->
|
||||
- grub.cfg (verified by a shim-managed certificate)
|
||||
- kernel (verified by a shim-managed certificate)
|
||||
- initramfs (verified by a shim-managed certificate)
|
||||
- fallback (verified by a shim-managed certificate) ->
|
||||
- SELoader (verified by a shim-managed certificate) ->
|
||||
- grub (verified by a shim-managed certificate) ->
|
||||
- grub.cfg (verified by a shim-managed certificate)
|
||||
- kernel (verified by a shim-managed certificate)
|
||||
- initramfs (verified by a shim-managed certificate)
|
||||
|
||||
### Quick Start For The First Boot
|
||||
- Deploy the rootfs
|
||||
@@ -298,8 +303,8 @@ Each boot component may have different verification failure phenomenon.
|
||||
|
||||
### MOK Secure Boot and the shim bootloader
|
||||
MOK Secure Boot is based on UEFI Secure Boot, adding the shim bootloader to
|
||||
chainloader the second-stage bootloader "SELoader" and eventually chainliader
|
||||
to the third-stage bootloader "grub".
|
||||
chainloader the bootloader "SELoader" and eventually chainliader to the
|
||||
bootloader "grub".
|
||||
|
||||
[ Quoting: https://github.com/rhboot/shim ]
|
||||
shim is a trivial EFI application that, when run, attempts to open and
|
||||
|
||||
Reference in New Issue
Block a user