'Re: [opensuse-factory] How secure boot grub2 is going to find its configuration?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-factory
Subject:    Re: [opensuse-factory] How secure boot grub2 is going to find its configuration?
From:       Michael Chang <mchang () suse ! com>
Date:       2012-12-24 3:49:12
Message-ID: CAOx4COUx2x6H7RxjAV1Zp=uoMt2J6cBGxivVoLBSq5z2Fz9PKA () mail ! gmail ! com
[Download RAW message or body]

2012/12/21 Andrey Borzenkov <arvidjaar@gmail.com>:
> I am still not sure how secure grub2 is going to find its grub.cfg.
> Normally its location is dynamically added to core.img. In case of
> secure grub2 core.img is prebuilt and signed during package creation
> (or may be signed later, not sure). So it is impossible to store
> information about grub root directory there. The only place which can
> be guaranteed to be auto-detected is ESP itself. But it is not where
> grub2 related files are installed currently ...
>
> Do I miss something here?

The $prefix will be built into grub.efi image and signed with SUSE
MOK. Thus the config path (/boot/efi/efi/openSUSE/grub.cfg) will not
be determined at run time but at (package) build time. And since
grub.efi image will have most relevant modules built-in and disable
module (auto)loading, the modules under grub2 directory (say
/boot/efi/efi/openSUSE/x86_64-efi/... ) is not needed in secure boot.

That would imply the grub2-install (or it's equivalent created for
secureboot)  will only have to perform copying grub2.efi from system
directory (/use/lib64/efi/grub.efi) to ESP partition
(/boot/efi/efi/openSUSE/grub.efi) and done.

Note above would only apply to boot path when secureboot is enabled
and not affecting any boot path in non-secureboot case. Also you could
replace grub2 signed with your own MOK and enrolling them with
mokutils. (please look at previous blog post by Olaf and Voijtech to
get the idea of MOK)

Thanks,
Michael

> --
> To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
> To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
>
>
-- 
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic