meta-efi-secure-boot/README: update to reflect using fallback to chainloader SELoader

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
author: Lans Zhang <jia.zhang@windriver.com> 2017-07-25 09:33:16 +0800
committer: Lans Zhang <jia.zhang@windriver.com> 2017-07-25 09:33:16 +0800
commit: 567e817691d5dd25854cb1e43552a7f1d7b2da37 (patch)
tree: 3dcd8af3e1c397e769c8f316474b7408cb4d516c
parent: 008b18270f8d9d3e0c7a1eebb0cb4531e4e60ebe (diff)
download: meta-secure-core-567e817691d5dd25854cb1e43552a7f1d7b2da37.tar.gz
1 files changed, 17 insertions, 12 deletions
diff --git a/meta-efi-secure-boot/README.md b/meta-efi-secure-boot/README.md
index 50f78ff..a98872b 100644
--- a/meta-efi-secure-boot/README.md
+++ b/meta-efi-secure-boot/README.md
@@ -10,11 +10,15 @@ chainloader the next stage bootloader with the integrity check using the
 shim-managed certificates corresponding to another set of trusted keys, which
 may be different than the trusted keys used by UEFI Secure Boot.
-In addition, this layer introduces the SELoader as the second-stage bootloader
+fallback is the second-stage bootloader used to by-pass the Red Hat shim
-and eventually chainliader to the third-stage bootloader "grub". With the
+signing review. It is designed to read a .csv file and will create a boot
-extension provided by SELoader, grub configuration files, kernel (even without
+option in BIOS boot manager for the first boot entry in .csv.
-EFI stub support) and initrd can be authenticated. This capability is not
-available in the shim bootloader.
+This layer introduces the SELoader as the third-stage bootloader and eventually
+chainliader to the fourth-stage bootloader "grub". With the extension provided
+by SELoader, grub configuration files, kernel (even without EFI stub support)
+and initrd can be authenticated. This capability is not available in the shim
+bootloader.
 Grub bootloader is also enhanced to support lockdown mode. In this mode, the
 edit, rescue and command line are protected in order to prevent from
@@ -31,11 +35,12 @@ A complete boot flow looks like as following:
 - UEFI firmware boot manager (UEFI Secure Boot enabled) ->
  - shim (verified by a DB certificate) ->
-    - SELoader (verified by a shim-managed certificate) ->
+    - fallback (verified by a shim-managed certificate) ->
-      - grub (verified by a shim-managed certificate) ->
+      - SELoader (verified by a shim-managed certificate) ->
-        - grub.cfg (verified by a shim-managed certificate)
+        - grub (verified by a shim-managed certificate) ->
-        - kernel (verified by a shim-managed certificate)
+          - grub.cfg (verified by a shim-managed certificate)
-        - initramfs (verified by a shim-managed certificate)
+          - kernel (verified by a shim-managed certificate)
+          - initramfs (verified by a shim-managed certificate)
 ### Quick Start For The First Boot
 - Deploy the rootfs
@@ -298,8 +303,8 @@ Each boot component may have different verification failure phenomenon.
 ### MOK Secure Boot and the shim bootloader
 MOK Secure Boot is based on UEFI Secure Boot, adding the shim bootloader to
-chainloader the second-stage bootloader "SELoader" and eventually chainliader
+chainloader the bootloader "SELoader" and eventually chainliader to the
-to the third-stage bootloader "grub".
+bootloader "grub".
 [ Quoting: https://github.com/rhboot/shim ]
 shim is a trivial EFI application that, when run, attempts to open and
author	Lans Zhang <jia.zhang@windriver.com>	2017-07-25 09:33:16 +0800
committer	Lans Zhang <jia.zhang@windriver.com>	2017-07-25 09:33:16 +0800
commit	567e817691d5dd25854cb1e43552a7f1d7b2da37 (patch)
tree	3dcd8af3e1c397e769c8f316474b7408cb4d516c
parent	008b18270f8d9d3e0c7a1eebb0cb4531e4e60ebe (diff)
download	meta-secure-core-567e817691d5dd25854cb1e43552a7f1d7b2da37.tar.gz

diff --git a/meta-efi-secure-boot/README.md b/meta-efi-secure-boot/README.md index 50f78ff..a98872b 100644 --- a/meta-efi-secure-boot/README.md +++ b/meta-efi-secure-boot/README.md
@@ -10,11 +10,15 @@ chainloader the next stage bootloader with the integrity check using the
10	shim-managed certificates corresponding to another set of trusted keys, which	10	shim-managed certificates corresponding to another set of trusted keys, which
11	may be different than the trusted keys used by UEFI Secure Boot.	11	may be different than the trusted keys used by UEFI Secure Boot.
12		12
13	In addition, this layer introduces the SELoader as the second-stage bootloader	13	fallback is the second-stage bootloader used to by-pass the Red Hat shim
14	and eventually chainliader to the third-stage bootloader "grub". With the	14	signing review. It is designed to read a .csv file and will create a boot
15	extension provided by SELoader, grub configuration files, kernel (even without	15	option in BIOS boot manager for the first boot entry in .csv.
16	EFI stub support) and initrd can be authenticated. This capability is not	16
17	available in the shim bootloader.	17	This layer introduces the SELoader as the third-stage bootloader and eventually
		18	chainliader to the fourth-stage bootloader "grub". With the extension provided
		19	by SELoader, grub configuration files, kernel (even without EFI stub support)
		20	and initrd can be authenticated. This capability is not available in the shim
		21	bootloader.
18		22
19	Grub bootloader is also enhanced to support lockdown mode. In this mode, the	23	Grub bootloader is also enhanced to support lockdown mode. In this mode, the
20	edit, rescue and command line are protected in order to prevent from	24	edit, rescue and command line are protected in order to prevent from
@@ -31,11 +35,12 @@ A complete boot flow looks like as following:
31		35
32	- UEFI firmware boot manager (UEFI Secure Boot enabled) ->	36	- UEFI firmware boot manager (UEFI Secure Boot enabled) ->
33	- shim (verified by a DB certificate) ->	37	- shim (verified by a DB certificate) ->
34	- SELoader (verified by a shim-managed certificate) ->	38	- fallback (verified by a shim-managed certificate) ->
35	- grub (verified by a shim-managed certificate) ->	39	- SELoader (verified by a shim-managed certificate) ->
36	- grub.cfg (verified by a shim-managed certificate)	40	- grub (verified by a shim-managed certificate) ->
37	- kernel (verified by a shim-managed certificate)	41	- grub.cfg (verified by a shim-managed certificate)
38	- initramfs (verified by a shim-managed certificate)	42	- kernel (verified by a shim-managed certificate)
		43	- initramfs (verified by a shim-managed certificate)
39		44
40	### Quick Start For The First Boot	45	### Quick Start For The First Boot
41	- Deploy the rootfs	46	- Deploy the rootfs
@@ -298,8 +303,8 @@ Each boot component may have different verification failure phenomenon.
298		303
299	### MOK Secure Boot and the shim bootloader	304	### MOK Secure Boot and the shim bootloader
300	MOK Secure Boot is based on UEFI Secure Boot, adding the shim bootloader to	305	MOK Secure Boot is based on UEFI Secure Boot, adding the shim bootloader to
301	chainloader the second-stage bootloader "SELoader" and eventually chainliader	306	chainloader the bootloader "SELoader" and eventually chainliader to the
302	to the third-stage bootloader "grub".	307	bootloader "grub".
303		308
304	[ Quoting: https://github.com/rhboot/shim ]	309	[ Quoting: https://github.com/rhboot/shim ]
305	shim is a trivial EFI application that, when run, attempts to open and	310	shim is a trivial EFI application that, when run, attempts to open and