[uefi-secure-boot-guide] master: Add notes for the kernel and grub (5b5d65e)
sparks at fedoraproject.org
sparks at fedoraproject.org
Sat Feb 9 01:28:25 UTC 2013
Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git
On branch : master
>---------------------------------------------------------------
commit 5b5d65ea11e4cdf757cd550c9c574712631edc0f
Author: Josh Bressers <josh at bress.net>
Date: Fri Feb 8 14:32:39 2013 -0600
Add notes for the kernel and grub
Signed-off-by: Eric Christensen <sparks at fedoraproject.org>
>---------------------------------------------------------------
en-US/Implementation_of_Secure_Boot.xml | 30 ++++++++++++++++++++++++++++++
1 files changed, 30 insertions(+), 0 deletions(-)
diff --git a/en-US/Implementation_of_Secure_Boot.xml b/en-US/Implementation_of_Secure_Boot.xml
index af49f63..f22a292 100644
--- a/en-US/Implementation_of_Secure_Boot.xml
+++ b/en-US/Implementation_of_Secure_Boot.xml
@@ -198,6 +198,35 @@ in Secure Boot mode, which will cause several things to be true:
</para>
</note>
</section>
+ <section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-GRUB">
+ <title>GRUB</title>
+ <para>
+ GRUB is contained in the grub2 package and is signed with the
+Fedora CA key. The binary is cryptographically verified, then executed by
+shim. The GRUB package does not contain any key material. When GRUB needs
+to verify the integrity of the Kernel, GRUB will call back into shim to
+execute the actual check.
+ </para>
+ </section>
+ <section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Kernel">
+ <title>Kernel</title>
+ <para>
+ The Kernel is signed with the Fedora CA key. It is verified by
+shim before GRUB will allow execution. Modules the kernel loads are signed
+with a key that is generated at kernel build time, then destroyed.
+ </para>
+ <para>
+ The Kernel will import the UEFI key database and use that to
+verify kernel modules. This means that 3rd party kernel modules signed with
+a key trusted by UEFI (Microsoft), will load in the Kernel while Secure
+Boot is enabled.
+ </para>
+ <para>
+ It is important to note that once the kernel loads the initial
+ramdisk (initrd), execution is no longer trusted. While the initrd may
+contain signed kernel modules, it also contains unsigned userspace code.
+The integrity of this code cannot be guaranteed.
+ </para>
<section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Restrictions">
<title>Restrictions</title>
<para><indexterm><primary>Secure Boot</primary><secondary>restrictions</secondary></indexterm>
@@ -230,5 +259,6 @@ resolve it in the future.
</para>
</important>
</section>
+ </section>
</chapter>
More information about the docs-commits
mailing list