From 567e817691d5dd25854cb1e43552a7f1d7b2da37 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Tue, 25 Jul 2017 09:33:16 +0800 Subject: meta-efi-secure-boot/README: update to reflect using fallback to chainloader SELoader Signed-off-by: Lans Zhang --- meta-efi-secure-boot/README.md | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/meta-efi-secure-boot/README.md b/meta-efi-secure-boot/README.md index 50f78ff..a98872b 100644 --- a/meta-efi-secure-boot/README.md +++ b/meta-efi-secure-boot/README.md @@ -10,11 +10,15 @@ chainloader the next stage bootloader with the integrity check using the shim-managed certificates corresponding to another set of trusted keys, which may be different than the trusted keys used by UEFI Secure Boot. -In addition, this layer introduces the SELoader as the second-stage bootloader -and eventually chainliader to the third-stage bootloader "grub". With the -extension provided by SELoader, grub configuration files, kernel (even without -EFI stub support) and initrd can be authenticated. This capability is not -available in the shim bootloader. +fallback is the second-stage bootloader used to by-pass the Red Hat shim +signing review. It is designed to read a .csv file and will create a boot +option in BIOS boot manager for the first boot entry in .csv. + +This layer introduces the SELoader as the third-stage bootloader and eventually +chainliader to the fourth-stage bootloader "grub". With the extension provided +by SELoader, grub configuration files, kernel (even without EFI stub support) +and initrd can be authenticated. This capability is not available in the shim +bootloader. Grub bootloader is also enhanced to support lockdown mode. In this mode, the edit, rescue and command line are protected in order to prevent from @@ -31,11 +35,12 @@ A complete boot flow looks like as following: - UEFI firmware boot manager (UEFI Secure Boot enabled) -> - shim (verified by a DB certificate) -> - - SELoader (verified by a shim-managed certificate) -> - - grub (verified by a shim-managed certificate) -> - - grub.cfg (verified by a shim-managed certificate) - - kernel (verified by a shim-managed certificate) - - initramfs (verified by a shim-managed certificate) + - fallback (verified by a shim-managed certificate) -> + - SELoader (verified by a shim-managed certificate) -> + - grub (verified by a shim-managed certificate) -> + - grub.cfg (verified by a shim-managed certificate) + - kernel (verified by a shim-managed certificate) + - initramfs (verified by a shim-managed certificate) ### Quick Start For The First Boot - Deploy the rootfs @@ -298,8 +303,8 @@ Each boot component may have different verification failure phenomenon. ### MOK Secure Boot and the shim bootloader MOK Secure Boot is based on UEFI Secure Boot, adding the shim bootloader to -chainloader the second-stage bootloader "SELoader" and eventually chainliader -to the third-stage bootloader "grub". +chainloader the bootloader "SELoader" and eventually chainliader to the +bootloader "grub". [ Quoting: https://github.com/rhboot/shim ] shim is a trivial EFI application that, when run, attempts to open and -- cgit v1.2.3-54-g00ecf