mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-05-07 10:09:22 +00:00
meta-efi-secure-boot/README: update to reflect using fallback to chainloader SELoader
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
@@ -10,11 +10,15 @@ chainloader the next stage bootloader with the integrity check using the
|
|||||||
shim-managed certificates corresponding to another set of trusted keys, which
|
shim-managed certificates corresponding to another set of trusted keys, which
|
||||||
may be different than the trusted keys used by UEFI Secure Boot.
|
may be different than the trusted keys used by UEFI Secure Boot.
|
||||||
|
|
||||||
In addition, this layer introduces the SELoader as the second-stage bootloader
|
fallback is the second-stage bootloader used to by-pass the Red Hat shim
|
||||||
and eventually chainliader to the third-stage bootloader "grub". With the
|
signing review. It is designed to read a .csv file and will create a boot
|
||||||
extension provided by SELoader, grub configuration files, kernel (even without
|
option in BIOS boot manager for the first boot entry in .csv.
|
||||||
EFI stub support) and initrd can be authenticated. This capability is not
|
|
||||||
available in the shim bootloader.
|
This layer introduces the SELoader as the third-stage bootloader and eventually
|
||||||
|
chainliader to the fourth-stage bootloader "grub". With the extension provided
|
||||||
|
by SELoader, grub configuration files, kernel (even without EFI stub support)
|
||||||
|
and initrd can be authenticated. This capability is not available in the shim
|
||||||
|
bootloader.
|
||||||
|
|
||||||
Grub bootloader is also enhanced to support lockdown mode. In this mode, the
|
Grub bootloader is also enhanced to support lockdown mode. In this mode, the
|
||||||
edit, rescue and command line are protected in order to prevent from
|
edit, rescue and command line are protected in order to prevent from
|
||||||
@@ -31,11 +35,12 @@ A complete boot flow looks like as following:
|
|||||||
|
|
||||||
- UEFI firmware boot manager (UEFI Secure Boot enabled) ->
|
- UEFI firmware boot manager (UEFI Secure Boot enabled) ->
|
||||||
- shim (verified by a DB certificate) ->
|
- shim (verified by a DB certificate) ->
|
||||||
- SELoader (verified by a shim-managed certificate) ->
|
- fallback (verified by a shim-managed certificate) ->
|
||||||
- grub (verified by a shim-managed certificate) ->
|
- SELoader (verified by a shim-managed certificate) ->
|
||||||
- grub.cfg (verified by a shim-managed certificate)
|
- grub (verified by a shim-managed certificate) ->
|
||||||
- kernel (verified by a shim-managed certificate)
|
- grub.cfg (verified by a shim-managed certificate)
|
||||||
- initramfs (verified by a shim-managed certificate)
|
- kernel (verified by a shim-managed certificate)
|
||||||
|
- initramfs (verified by a shim-managed certificate)
|
||||||
|
|
||||||
### Quick Start For The First Boot
|
### Quick Start For The First Boot
|
||||||
- Deploy the rootfs
|
- Deploy the rootfs
|
||||||
@@ -298,8 +303,8 @@ Each boot component may have different verification failure phenomenon.
|
|||||||
|
|
||||||
### MOK Secure Boot and the shim bootloader
|
### MOK Secure Boot and the shim bootloader
|
||||||
MOK Secure Boot is based on UEFI Secure Boot, adding the shim bootloader to
|
MOK Secure Boot is based on UEFI Secure Boot, adding the shim bootloader to
|
||||||
chainloader the second-stage bootloader "SELoader" and eventually chainliader
|
chainloader the bootloader "SELoader" and eventually chainliader to the
|
||||||
to the third-stage bootloader "grub".
|
bootloader "grub".
|
||||||
|
|
||||||
[ Quoting: https://github.com/rhboot/shim ]
|
[ Quoting: https://github.com/rhboot/shim ]
|
||||||
shim is a trivial EFI application that, when run, attempts to open and
|
shim is a trivial EFI application that, when run, attempts to open and
|
||||||
|
|||||||
Reference in New Issue
Block a user