[openFATE 314477] Support UEFI Secure Boot
Feature changed by: Jeffrey Cheung (Jeffreycheung) Feature #314477, revision 9 Title: Support UEFI Secure Boot Requested by: Jeffrey Cheung (jeffreycheung) + Partner organization: openSUSE.org Description: We need to support secure boot end-to-end in openSUSE 12.3. It is because ODM/OEM will ship UEFI secure boot enablement notebook at 2012 Q4, so openSUSE should support those machines. From technical view: + base on the approach on SUSE blogs. Our Planned Approach to Secure Boot (https://www.suse.com/blogs/uefi-secure-boot-plan/) (https://www.suse.com/blogs/uefi-secure-boot-details/) + use shim to be the forefront boot loader for verify the grub2 and kernel should signed by openSUSE key or MOKs(machine owner keys). + shim will sign by Microsoft key through Microsoft sign service + grub2 need load kernel to memory and call the verify protocol that provied by shim to verify kernel signed by openSUSE key or MOKs + kernel need signed by openSUSE key by default + user can use tool to sign grub2 and kernel with MOK by himself, and MOK can be import to NVRAM in UEFI BIOS that maintain by shim. + For support secure boot, kernel need included Matthew Garrett's patch from upstream (reviewing, will in v3.6 or v3.7) to lock io port /dev/mem and kexec(or kexec can verify signed kernel). + xorg-x11-server at least need included the d01921ec18c21f21d377b60626cc2d3418b84a7c patch to avoid set the I/O privilege level. On secure boot mode, kernel will lock io port then any user space process can't set it. + Against to io port and pci register lock down by kernel, need check if any user space applications have problem. -- openSUSE Feature: https://features.opensuse.org/314477
participants (1)
-
fate_noreply@suse.de