grub-lakitu: CHROMIUM: Make grub config read-only in secure boot

To protect the rootfs hash, we want to make grub.cfg
read-only. We do this by storing it in a boot service
EFI variable. When the system boots for the first
time, the grub configuration is loaded into the GrubConfig
EFI variable. Subsequent boots only read the config
from the GrubConfig EFI variable.

Changes are made to the 'normal' command. The normal command is
executed when grub first starts and is the command that loads and
executes grub.cfg. We change the normal command to load the grub
configuration in a different way when secure boot is enabled.

I tried to follow the gnu C style guide to be consistent with
the rest of grub.

TEST=Sign with dev keys; boot with EFI; change kernel cmdline in grub.cfg; reboot; /proc/cmdline hasn't changed

Change-Id: I1adfcfe6f6ccf14e4eebe7f5be0835d0cd643437
Commit-Ready: Robert Kolchmeyer <>
Tested-by: Robert Kolchmeyer <>
Reviewed-by: Robert Kolchmeyer <>
3 files changed
tree: 8ff5084f7945b4f0edc0cf1e61aab7a11d02dcca
  1. grub-lakitu/