[Bug 1179492] New: Test grub booting using pe/coff boot entry to support shim and MOK
https://bugzilla.suse.com/show_bug.cgi?id=1179492 Bug ID: 1179492 Summary: Test grub booting using pe/coff boot entry to support shim and MOK Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: aarch64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: mchang@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- To support shim lock protocol and use MOK (Machine Owner Key), grub has to load and boot the kernel on it's own without resorting to firmware protocols, namely UEFI LoadImage and StartImage protocols, which would only know about keys in db and dbx and thus would reject image with signature of MOK. To finalize UEFI Secure Boot to fully utilize the capability of shim, the grub package with needed implementation to achieve that is available here. https://build.opensuse.org/package/show/home:michael-chang:arm64-linuxefi/gr... In a nut shell, it will call out shim_lock protocol to verify the image, and then jump directly to the PE/COFF entry to boot the image if preceding verification goes successfully. This ticket is opened to track any issue in grub with respect to needed change to adopt shim and MOK on aarch64. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1179492 Michael Chang <mchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bbrunner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1179492 Michael Chang <mchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |afaerber@suse.com, | |chester.lin@suse.com, | |glin@suse.com, | |guillaume.gardet@arm.com, | |jlee@suse.com, | |jreidinger@suse.com, | |jsrain@suse.com, | |meissner@suse.com, | |mlin@suse.com, rw@suse.com, | |snwint@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1179492 https://bugzilla.suse.com/show_bug.cgi?id=1179492#c1 Michael Chang <mchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(guillaume.gardet@ | |arm.com), | |needinfo?(chester.lin@suse. | |com) --- Comment #1 from Michael Chang <mchang@suse.com> --- Hi Chester and Guillaume As I only could test that on my own raspberry pi 4, it would be great if you could help to test on the devices you have to see is there any problem and we can fix before submitting to Factory. You could just install the package and test without shim, since our attempt here is to test the new handover (via pe/coff entry) to the kernel. Thanks in advance. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1179492 Michael Chang <mchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |mchang@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1179492 https://bugzilla.suse.com/show_bug.cgi?id=1179492#c2 Benjamin Brunner <bbrunner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|mchang@suse.com |bootloader-maintainers@suse | |.de --- Comment #2 from Benjamin Brunner <bbrunner@suse.com> --- Bulk-re-assigning to the new bootloader-maintainers@suse.de group. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1179492 https://bugzilla.suse.com/show_bug.cgi?id=1179492#c3 Michael Chang <mchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #3 from Michael Chang <mchang@suse.com> --- Change to 'works for me' as we have adapted arm64-efi to use shim as secure-boot key manager for a long time. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com