efi: Add EFI shim lock verifier
This module provides shim lock verification for various kernels
if UEFI secure boot is enabled on a machine.
It is recommended to put this module into GRUB2 standalone image
(avoid putting iorw and memrw modules into it; they are disallowed
if UEFI secure boot is enabled). However, it is also possible to use
it as a normal module. Though such configurations are more fragile
and less secure due to various limitations.
If the module is loaded and UEFI secure boot is enabled then:
- module itself cannot be unloaded (persistent module),
- the iorw and memrw modules cannot be loaded,
- if the iorw and memrw modules are loaded then
machine boot is disabled,
- GRUB2 defers modules and ACPI tables verification to
other verifiers.
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
This commit is contained in:
Daniel Kiper
Vincent Batts
parent
1cb4edf4ef
commit
81072e718a
3 changed files with 162 additions and 0 deletions
|
|
@ -923,6 +923,12 @@ module = {
|
|||
common = commands/verifiers.c;
|
||||
};
|
||||
|
||||
module = {
|
||||
name = shim_lock;
|
||||
common = commands/efi/shim_lock.c;
|
||||
enable = x86_64_efi;
|
||||
};
|
||||
|
||||
module = {
|
||||
name = hdparm;
|
||||
common = commands/hdparm.c;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue