Comment by morpheuskafka

9 days ago

> custom ways of doing things, instead of furthering efforts like UEFI on ARM.

I thought uBoot was more or less the standard way of booting embedded Linux? Is it really worth bringing the entire UEFI environment, which is basically a mini OS, to such devices? Embedded devices are often designed to handle power loss or even be unplugged by users, so the boot up process is generally as lean as possible.

7 comments

morpheuskafka

Reply
westurner  9 days ago

SecureBoot might be more useful than UEFI on SBC like Pi.

The grub EFI shim is signed, but does or doesn't verify kernel image and initrd and module (and IDK optionally drive and CPU and RAM hw) signatures?

mokutil does module signature key enrollment. Kernel modules must be signed with a key enrolled in the BIOS otherwise they won't be loaded.

To implement SecureBoot without UEFI would be to develop an alternate bootloader verification system.

But what does grub or uboot or p-boot do after the signed grub shim is verified?

  • westurner  9 days ago

    mokutil and these commands don't work without UEFI:

      mokutil --sb-state
  mokutil --help
  mokutil --import key.der
  mokutil --list-new
  reboot

  efibootmgr
  efivar

  fwupd
  fwupdtool
  fwupdmgr get-updates && \
  fwupdmgr update

  tree /sys/firmware/efi

  systemctl reboot --firmware-setup

    • my123  8 days ago

      Note that UEFI doesn't mean supporting most of those.

      UEFI without runtime UEFI variable writes is a thing, and that configuration is incompatible with mokutil.

      3 replies →