diff --git a/meta-efi-secure-boot/README.md b/meta-efi-secure-boot/README.md index 50f78ff..a98872b 100644 --- a/meta-efi-secure-boot/README.md +++ b/meta-efi-secure-boot/README.md @@ -10,11 +10,15 @@ chainloader the next stage bootloader with the integrity check using the shim-managed certificates corresponding to another set of trusted keys, which may be different than the trusted keys used by UEFI Secure Boot. -In addition, this layer introduces the SELoader as the second-stage bootloader -and eventually chainliader to the third-stage bootloader "grub". With the -extension provided by SELoader, grub configuration files, kernel (even without -EFI stub support) and initrd can be authenticated. This capability is not -available in the shim bootloader. +fallback is the second-stage bootloader used to by-pass the Red Hat shim +signing review. It is designed to read a .csv file and will create a boot +option in BIOS boot manager for the first boot entry in .csv. + +This layer introduces the SELoader as the third-stage bootloader and eventually +chainliader to the fourth-stage bootloader "grub". With the extension provided +by SELoader, grub configuration files, kernel (even without EFI stub support) +and initrd can be authenticated. This capability is not available in the shim +bootloader. Grub bootloader is also enhanced to support lockdown mode. In this mode, the edit, rescue and command line are protected in order to prevent from @@ -31,11 +35,12 @@ A complete boot flow looks like as following: - UEFI firmware boot manager (UEFI Secure Boot enabled) -> - shim (verified by a DB certificate) -> - - SELoader (verified by a shim-managed certificate) -> - - grub (verified by a shim-managed certificate) -> - - grub.cfg (verified by a shim-managed certificate) - - kernel (verified by a shim-managed certificate) - - initramfs (verified by a shim-managed certificate) + - fallback (verified by a shim-managed certificate) -> + - SELoader (verified by a shim-managed certificate) -> + - grub (verified by a shim-managed certificate) -> + - grub.cfg (verified by a shim-managed certificate) + - kernel (verified by a shim-managed certificate) + - initramfs (verified by a shim-managed certificate) ### Quick Start For The First Boot - Deploy the rootfs @@ -298,8 +303,8 @@ Each boot component may have different verification failure phenomenon. ### MOK Secure Boot and the shim bootloader MOK Secure Boot is based on UEFI Secure Boot, adding the shim bootloader to -chainloader the second-stage bootloader "SELoader" and eventually chainliader -to the third-stage bootloader "grub". +chainloader the bootloader "SELoader" and eventually chainliader to the +bootloader "grub". [ Quoting: https://github.com/rhboot/shim ] shim is a trivial EFI application that, when run, attempts to open and