[uefi-secure-boot-guide] master: Add notes for the kernel and grub (5b5d65e)

sparks at fedoraproject.org sparks at fedoraproject.org
Sat Feb 9 01:28:25 UTC 2013 

Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git

On branch  : master

>---------------------------------------------------------------

commit 5b5d65ea11e4cdf757cd550c9c574712631edc0f
Author: Josh Bressers <josh at bress.net>
Date:   Fri Feb 8 14:32:39 2013 -0600

    Add notes for the kernel and grub
    
    Signed-off-by: Eric Christensen <sparks at fedoraproject.org>


>---------------------------------------------------------------

 en-US/Implementation_of_Secure_Boot.xml |   30 ++++++++++++++++++++++++++++++
 1 files changed, 30 insertions(+), 0 deletions(-)

diff --git a/en-US/Implementation_of_Secure_Boot.xml b/en-US/Implementation_of_Secure_Boot.xml
index af49f63..f22a292 100644
--- a/en-US/Implementation_of_Secure_Boot.xml
+++ b/en-US/Implementation_of_Secure_Boot.xml
@@ -198,6 +198,35 @@ in Secure Boot mode, which will cause several things to be true:
                 </para>
         </note>
 	</section>
+	<section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-GRUB">
+		<title>GRUB</title>
+		<para>
+			GRUB is contained in the grub2 package and is signed with the
+Fedora CA key. The binary is cryptographically verified, then executed by
+shim. The GRUB package does not contain any key material. When GRUB needs
+to verify the integrity of the Kernel, GRUB will call back into shim to
+execute the actual check.
+		</para>
+	</section>
+	<section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Kernel">
+		<title>Kernel</title>
+		<para>
+			The Kernel is signed with the Fedora CA key. It is verified by
+shim before GRUB will allow execution. Modules the kernel loads are signed
+with a key that is generated at kernel build time, then destroyed.
+		</para>
+		<para>
+			The Kernel will import the UEFI key database and use that to
+verify kernel modules. This means that 3rd party kernel modules signed with
+a key trusted by UEFI (Microsoft), will load in the Kernel while Secure
+Boot is enabled.
+		</para>
+		<para>
+			It is important to note that once the kernel loads the initial
+ramdisk (initrd), execution is no longer trusted. While the initrd may
+contain signed kernel modules, it also contains unsigned userspace code.
+The integrity of this code cannot be guaranteed.
+		</para>
 	<section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Restrictions">
 		<title>Restrictions</title>
 		<para><indexterm><primary>Secure Boot</primary><secondary>restrictions</secondary></indexterm>
@@ -230,5 +259,6 @@ resolve it in the future.
 		</para>
 	</important>
 	</section>
+	</section>
 </chapter>

More information about the docs-commits mailing list