vbatts/grub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

efi: Add EFI shim lock verifier

Browse source 
This module provides shim lock verification for various kernels
if UEFI secure boot is enabled on a machine.

It is recommended to put this module into GRUB2 standalone image
(avoid putting iorw and memrw modules into it; they are disallowed
if UEFI secure boot is enabled). However, it is also possible to use
it as a normal module. Though such configurations are more fragile
and less secure due to various limitations.

If the module is loaded and UEFI secure boot is enabled then:
  - module itself cannot be unloaded (persistent module),
  - the iorw and memrw modules cannot be loaded,
  - if the iorw and memrw modules are loaded then
    machine boot is disabled,
  - GRUB2 defers modules and ACPI tables verification to
    other verifiers.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
This commit is contained in:
Daniel Kiper 2018-08-03 13:25:44 +02:00
parent ee7808e219
commit 878398c1a3
3 changed files with 162 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
docs/grub.texi
View file

@ -5544,6 +5544,7 @@ environment variables and commands are listed in the same order.
@menu
* Authentication and authorisation:: Users and access control
* Using digital signatures:: Booting digitally signed code
* UEFI secure boot and shim:: Booting digitally signed PE files
@end menu
@node Authentication and authorisation
@ -5706,6 +5707,20 @@ or BIOS) configuration to cause the machine to boot from a different
(attacker-controlled) device. GRUB is at best only one link in a
secure boot chain.
@node UEFI secure boot and shim
@section UEFI secure boot and shim support
The GRUB, except the @command{chainloader} command, works with the UEFI secure
boot and the shim. This functionality is provided by the shim_lock module. It
is recommend to build in this and other required modules into the @file{core.img}.
All modules not stored in the @file{core.img} and the ACPI tables for the
@command{acpi} command have to be signed, e.g. using PGP. Additionally, the
@command{iorw} and the @command{memrw} commands are prohibited if the UEFI
secure boot is enabled. This is done due to security reasons. All above
mentioned requirements are enforced by the shim_lock module. And itself it
is a persistent module which means that it cannot be unloaded if it was
loaded into the memory.
@node Platform limitations
@chapter Platform limitations