|
|
你是否問Super UEFIinSecureBoot Disk的引導路徑?
UEFI boot process of this disk is performed in 3 stages.
bootx64.efi (shim) → grubx64.efi (preloader) → grubx64_real.efi (grub2) → EFI file/OS
Stage 1: motherboard loads shim. Shim is a special loader which just loads next executable, grubx64.efi (preloader) in our case. Shim is signed with Microsoft key, which allows it to be launched in Secure Boot mode on all stock PC motherboards.
Shim contains embedded Fedora certificate (because it's extracted from Fedora repository). If Secure Boot is enabled, since grubx64.efi is not signed with embedded Fedora certificate, shim boots another executable, MokManager.efi, which is a special shim key management software. MokManager asks user to proceed with key or hash enrolling process.
Newer versions of shim install hooks for UEFI LoadImage, StartImage, ExitBootServices and Exit functions to "Harden against non-participating bootloaders", which should be bypassed for this disk use-case. Fedora's shim does not install custom UEFI security policies, that's why it's not possible to load self-signed efi files from second stage bootloader, even if you add their hashes or certificates using MokManager.
Stage 2: preloader is a software similar to shim. It also performs executable validation and loads next efi file. Preloader included in this disk is a stripped down version which performs only one function: install allow-all UEFI security policy. This permits loading of arbitrary efi executables with LoadImage/StartImage UEFI functions even outside GRUB (for example, in UEFI Shell), and bypasses shim hardening.
Stage 3: GRUB2 is a well-known universal bootloader. It has been patched to load Linux kernel without additional vertification (linux/linuxefi commands), load .efi binaries into memory and jump into its entry point (chainloader command), and to mimic "participating bootloader" for shim. |
|
[复制链接]
IP卡
狗仔卡
楼主
显身卡
发表于 2021-5-4 14:38:23
发表于 2021-5-5 15:19:39
