Home_greyopenFATE - openSUSE feature tracking > #314477
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

Support UEFI Secure Boot

Feature state

Description

We need to support secure boot end-to-end in openSUSE 12.3.

It is because ODM/OEM will ship UEFI secure boot enablement notebook at 2012 Q4, so openSUSE should support those machines.

From technical view:
+ base on the approach on SUSE blogs. Our Planned Approach to Secure Boot (https://www.suse.com/blogs/uefi-secure-boot-plan/ )
(https://www.suse.com/blogs/uefi-secure-boot-details/)

+ use shim to be the forefront boot loader for verify the grub2 and kernel should signed by openSUSE key or MOKs(machine owner keys).

+ shim will sign by Microsoft key through Microsoft sign service

+ grub2 need load kernel to memory and call the verify protocol that provied by shim to verify kernel signed by openSUSE key or MOKs

+ kernel need signed by openSUSE key by default

+ user can use tool to sign grub2 and kernel with MOK by himself, and MOK can be import to NVRAM in UEFI BIOS that maintain by shim.

+ For support secure boot, kernel need included Matthew Garrett's patch from upstream (reviewing, will in v3.6 or v3.7) to lock io port /dev/mem and kexec(or kexec can verify signed kernel).

+ xorg-x11-server at least need included the d01921ec18c21f21d377b60626cc2d3418b84a7c patch to avoid set the I/O privilege level. On secure boot mode, kernel will lock io port then any user space process can't set it.

+ Against to io port and pci register lock down by kernel, need check if any user space applications have problem.

Discussion


No comments yet

Last change: 2 months ago
Voting
Score: 2
  • Negative: 0
  • Neutral: 0
  • Positive: 2
Tags
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint