[opensuse-factory] How secure boot grub2 is going to find its configuration?
I am still not sure how secure grub2 is going to find its grub.cfg. Normally its location is dynamically added to core.img. In case of secure grub2 core.img is prebuilt and signed during package creation (or may be signed later, not sure). So it is impossible to store information about grub root directory there. The only place which can be guaranteed to be auto-detected is ESP itself. But it is not where grub2 related files are installed currently ... Do I miss something here? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2012/12/21 Andrey Borzenkov <arvidjaar@gmail.com>:
I am still not sure how secure grub2 is going to find its grub.cfg. Normally its location is dynamically added to core.img. In case of secure grub2 core.img is prebuilt and signed during package creation (or may be signed later, not sure). So it is impossible to store information about grub root directory there. The only place which can be guaranteed to be auto-detected is ESP itself. But it is not where grub2 related files are installed currently ...
Do I miss something here?
The $prefix will be built into grub.efi image and signed with SUSE MOK. Thus the config path (/boot/efi/efi/openSUSE/grub.cfg) will not be determined at run time but at (package) build time. And since grub.efi image will have most relevant modules built-in and disable module (auto)loading, the modules under grub2 directory (say /boot/efi/efi/openSUSE/x86_64-efi/... ) is not needed in secure boot. That would imply the grub2-install (or it's equivalent created for secureboot) will only have to perform copying grub2.efi from system directory (/use/lib64/efi/grub.efi) to ESP partition (/boot/efi/efi/openSUSE/grub.efi) and done. Note above would only apply to boot path when secureboot is enabled and not affecting any boot path in non-secureboot case. Also you could replace grub2 signed with your own MOK and enrolling them with mokutils. (please look at previous blog post by Olaf and Voijtech to get the idea of MOK) Thanks, Michael
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Mon, 24 Dec 2012 11:49:12 +0800 Michael Chang <mchang@suse.com> пишет:
2012/12/21 Andrey Borzenkov <arvidjaar@gmail.com>:
I am still not sure how secure grub2 is going to find its grub.cfg. Normally its location is dynamically added to core.img. In case of secure grub2 core.img is prebuilt and signed during package creation (or may be signed later, not sure). So it is impossible to store information about grub root directory there. The only place which can be guaranteed to be auto-detected is ESP itself. But it is not where grub2 related files are installed currently ...
Do I miss something here?
The $prefix will be built into grub.efi image and signed with SUSE MOK.
But that's impossible. ${prefix} is end-user specific. You cannot build and encode it once and for every system.
Thus the config path (/boot/efi/efi/openSUSE/grub.cfg) will not be determined at run time but at (package) build time.
OK, so you are going to place it on ESP? This implies changes to perl-Bootloader and/or YaST2 grub2 modules. Also that means grub.cfg location is again non-deterministic. People already complained (for 12.2) that on UEFI systems location of grub.cfg is different from BIOS systems.
And since grub.efi image will have most relevant modules built-in and disable module (auto)loading, the modules under grub2 directory (say /boot/efi/efi/openSUSE/x86_64-efi/... ) is not needed in secure boot.
You still need to find grub.cfg.
That would imply the grub2-install (or it's equivalent created for secureboot) will only have to perform copying grub2.efi from system directory (/use/lib64/efi/grub.efi) to ESP partition (/boot/efi/efi/openSUSE/grub.efi) and done.
No. It would imply that all current infrastructure used to update grub.cfg has to be modified to work with new grub.cfg location. And you cannot just symlink /boot/grub2/grub.cfg => /boot/efi/EFI/openSUSE/grub.cfg because such link will be probably invalid during booting (grub2 cannot resolve it). May be putting minimal grub.cfg on ESP that effectively contains just configfile $true_boot_grub2_location/grub.cfg is more simple. This will at least leave the bulk of existing code valid and file on ESP needs to be updated infrequently, only when bootloader is installed. It is also less surprise for users.
Note above would only apply to boot path when secureboot is enabled and not affecting any boot path in non-secureboot case. Also you could replace grub2 signed with your own MOK and enrolling them with mokutils. (please look at previous blog post by Olaf and Voijtech to get the idea of MOK)
Yes, I know, this does not change the fact that something has to be done for secure boot case. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Andrey Borzenkov -
Michael Chang