cos /
cos /
cobble /
b92669e715ba7c6fe82f6fca8a988f61db79ff9d grub-lakitu: REDHAT: MASTER-SB: Add secureboot support on efi chainloader
Expand the chainloader to be able to verify the image by means of shim
lock protocol. The PE/COFF image is loaded and relocated by the
chainloader instead of calling LoadImage and StartImage UEFI boot
Service as they require positive verification result from keys enrolled
in KEK or DB. The shim will use MOK in addition to firmware enrolled
keys to verify the image.
The chainloader module could be used to load other UEFI bootloaders,
such as xen.efi, and could be signed by any of MOK, KEK or DB.
Based on https://build.opensuse.org/package/view_file/openSUSE:Factory/grub2/grub2-secureboot-chainloader.patch
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit 5404b3eb5eb6a42e8027fa98ea232a5777559137)
(from master-sb branch of https://github.com/rhboot/grub2)
BUG=b:69569602
TEST=TBD
Change-Id: Ia36ae78f6e6b1da6c98e3efc73db5669b48f857e
Reviewed-on: https://chromium-review.googlesource.com/945893
Reviewed-by: Edward Jee <edjee@google.com>
Commit-Queue: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Trybot-Ready: Edward Jee <edjee@google.com>
2 files changed