cos /
cos /
cobble /
3d2b9922e81cce898d4f09306563d3ca9d32c67e grub-lakitu: CHROMIUM: Make grub config read-only in secure boot
To protect the rootfs hash, we want to make grub.cfg
read-only. We do this by storing it in a boot service
EFI variable. When the system boots for the first
time, the grub configuration is loaded into the GrubConfig
EFI variable. Subsequent boots only read the config
from the GrubConfig EFI variable.
Changes are made to the 'normal' command. The normal command is
executed when grub first starts and is the command that loads and
executes grub.cfg. We change the normal command to load the grub
configuration in a different way when secure boot is enabled.
I tried to follow the gnu C style guide to be consistent with
the rest of grub.
CQ-DEPEND=CL:1272375
BUG=b:112317631
TEST=Sign with dev keys; boot with EFI; change kernel cmdline in grub.cfg; reboot; /proc/cmdline hasn't changed
RELEASE_NOTE=None
Change-Id: I1adfcfe6f6ccf14e4eebe7f5be0835d0cd643437
Reviewed-on: https://chromium-review.googlesource.com/1265958
Commit-Ready: Robert Kolchmeyer <rkolchmeyer@google.com>
Tested-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
3 files changed