tree 8ff5084f7945b4f0edc0cf1e61aab7a11d02dcca
parent 85e6e13ae4e3ba22f1970ebfe66610866e89132d
author Robert Kolchmeyer <rkolchmeyer@google.com> 1538716866 -0700
committer chrome-bot <chrome-bot@chromium.org> 1542373341 -0800

grub-lakitu: CHROMIUM: Make grub config read-only in secure boot

To protect the rootfs hash, we want to make grub.cfg
read-only. We do this by storing it in a boot service
EFI variable. When the system boots for the first
time, the grub configuration is loaded into the GrubConfig
EFI variable. Subsequent boots only read the config
from the GrubConfig EFI variable.

Changes are made to the 'normal' command. The normal command is
executed when grub first starts and is the command that loads and
executes grub.cfg. We change the normal command to load the grub
configuration in a different way when secure boot is enabled.

I tried to follow the gnu C style guide to be consistent with
the rest of grub.

CQ-DEPEND=CL:1272375
BUG=b:112317631
TEST=Sign with dev keys; boot with EFI; change kernel cmdline in grub.cfg; reboot; /proc/cmdline hasn't changed
RELEASE_NOTE=None

Change-Id: I1adfcfe6f6ccf14e4eebe7f5be0835d0cd643437
Reviewed-on: https://chromium-review.googlesource.com/1265958
Commit-Ready: Robert Kolchmeyer <rkolchmeyer@google.com>
Tested-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
