Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Third-party bootloader support #628

Closed
mikebeaton opened this issue Jan 21, 2024 · 1 comment
Closed

Third-party bootloader support #628

mikebeaton opened this issue Jan 21, 2024 · 1 comment

Comments

@mikebeaton
Copy link
Contributor

mikebeaton commented Jan 21, 2024
edited

In an ideal world, a third-party bootloader such as systemd boot, but also 'hobbyist' bootloaders like rEFInd or OpenCore, would be able to integrate with shim, in order to take advantage of features it provides, and Linux users expect, without having to re-write them all.

[EDIT: systemd boot was a bad example above, as it is already a 'participating bootloader' which is shim lock protocol-aware (and of course therefore must implement its own image loader).]

In order of decreasing importance, these are:

  • SBAT support
  • MOK support
  • Abilty to package vendor DB and DBX of supported distros into shim, and for subsequent bootloader to verify using these:
    • of course shim already supports specifying vendor DB and DBX on build
    • grub itself already verifies using these, but relies on having its own PE loader, plus use of the shim lock protocol
    • a much simpler alternative for an abitrary non-grub bootloader is if gBS LoadImage, after shim, already enforces any additional permissions (i.e. DB from shim) and restrictions (i.e. DBX, SBAT from shim)

The idea here is for a third-party Linux loader (e.g. a BLSpec compliant one) to be able to potentially boot more than one distro, with secure boot enabled (and very much more ideally than not: without needing its own PE loader, plus awareness of shim lock protocol).

Note that support for all of this is already possible with existing shim code, using the apparently largely forgotten code enabled with OVERRIDE_SECURITY_POLICY=1 (which currently requires the trivial fix discussed here in order to build).

This issue is raised to ask if this can be treated as a supported/valid use-case, with (something like) the existing support for OVERRIDE_SECURITY_POLICY made available. This includes requesting that it (continues to) be supported for third party boot loaders to be able to verify/deny with certificates from shim (potentially multi-vendor DB and DBX, plus MOK, plus shim SBAT enforcement), ideally just by using gBS->LoadImage.
@mikebeaton mikebeaton mentioned this issue Jan 23, 2024
Open
@mikebeaton mikebeaton changed the title Non-Grub bootloader support Third-party bootloader support Mar 15, 2024
@mikebeaton
Copy link
Contributor Author

Based on the progress of discussion in #596 it seems like maybe such boot loaders are better off fending for themselves and adding their own SBAT support if they wish to have it (since, unfortunately, I believe that that or chaining from shim is the only way to get this). Not chaining via shim rules out MOK integration, unfortunately - unless such loaders implement that as well!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mikebeaton