2012/12/21 Andrey Borzenkov <arvidjaar@gmail.com>:
I am still not sure how secure grub2 is going to find its grub.cfg. Normally its location is dynamically added to core.img. In case of secure grub2 core.img is prebuilt and signed during package creation (or may be signed later, not sure). So it is impossible to store information about grub root directory there. The only place which can be guaranteed to be auto-detected is ESP itself. But it is not where grub2 related files are installed currently ...
Do I miss something here?
The $prefix will be built into grub.efi image and signed with SUSE MOK. Thus the config path (/boot/efi/efi/openSUSE/grub.cfg) will not be determined at run time but at (package) build time. And since grub.efi image will have most relevant modules built-in and disable module (auto)loading, the modules under grub2 directory (say /boot/efi/efi/openSUSE/x86_64-efi/... ) is not needed in secure boot. That would imply the grub2-install (or it's equivalent created for secureboot) will only have to perform copying grub2.efi from system directory (/use/lib64/efi/grub.efi) to ESP partition (/boot/efi/efi/openSUSE/grub.efi) and done. Note above would only apply to boot path when secureboot is enabled and not affecting any boot path in non-secureboot case. Also you could replace grub2 signed with your own MOK and enrolling them with mokutils. (please look at previous blog post by Olaf and Voijtech to get the idea of MOK) Thanks, Michael
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org