)]}' { "commit": "3d2b9922e81cce898d4f09306563d3ca9d32c67e", "tree": "8ff5084f7945b4f0edc0cf1e61aab7a11d02dcca", "parents": [ "85e6e13ae4e3ba22f1970ebfe66610866e89132d" ], "author": { "name": "Robert Kolchmeyer", "email": "rkolchmeyer@google.com", "time": "Thu Oct 04 22:21:06 2018 -0700" }, "committer": { "name": "chrome-bot", "email": "chrome-bot@chromium.org", "time": "Fri Nov 16 05:02:21 2018 -0800" }, "message": "grub-lakitu: CHROMIUM: Make grub config read-only in secure boot\n\nTo protect the rootfs hash, we want to make grub.cfg\nread-only. We do this by storing it in a boot service\nEFI variable. When the system boots for the first\ntime, the grub configuration is loaded into the GrubConfig\nEFI variable. Subsequent boots only read the config\nfrom the GrubConfig EFI variable.\n\nChanges are made to the \u0027normal\u0027 command. The normal command is\nexecuted when grub first starts and is the command that loads and\nexecutes grub.cfg. We change the normal command to load the grub\nconfiguration in a different way when secure boot is enabled.\n\nI tried to follow the gnu C style guide to be consistent with\nthe rest of grub.\n\nCQ-DEPEND\u003dCL:1272375\nBUG\u003db:112317631\nTEST\u003dSign with dev keys; boot with EFI; change kernel cmdline in grub.cfg; reboot; /proc/cmdline hasn\u0027t changed\nRELEASE_NOTE\u003dNone\n\nChange-Id: I1adfcfe6f6ccf14e4eebe7f5be0835d0cd643437\nReviewed-on: https://chromium-review.googlesource.com/1265958\nCommit-Ready: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\nTested-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\nReviewed-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "d467785fc6ce0763ec1392a65d6b30f1747ab5c4", "old_mode": 33188, "old_path": "grub-lakitu/grub-core/kern/efi/efi.c", "new_id": "e060ed23a7a1710d6c03c988d862bacb379dbeda", "new_mode": 33188, "new_path": "grub-lakitu/grub-core/kern/efi/efi.c" }, { "type": "modify", "old_id": "1b03dfd57b9113ba0e6fee3475d25d55534a15e5", "old_mode": 33188, "old_path": "grub-lakitu/grub-core/normal/main.c", "new_id": "2998eff9618c427f98d455230d63fd3ce2fcce2b", "new_mode": 33188, "new_path": "grub-lakitu/grub-core/normal/main.c" }, { "type": "modify", "old_id": "764cd11f5a7bd9414564b97d8dce6502e2de02f4", "old_mode": 33188, "old_path": "grub-lakitu/include/grub/efi/efi.h", "new_id": "cc0b94edf0244348d17693f783d5eb7880fc2360", "new_mode": 33188, "new_path": "grub-lakitu/include/grub/efi/efi.h" } ] }