Hi, I have a custom installation of openSUSE Tumbleweed which uses u-boot and Grub. To use secure boot on the RPI, one creates a boot.img containing the kernel and other files which is signed, and the eeprom is locked to only allow booting with this signature. (https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md ). Since I'm using u-boot, I'm creating a boot.img containing u-boot.bin instead of the linux kernel and ramdisk. But then nothing is locking down which kernel can boot, since that's controller by UEFI and Grub. u-boot starts Grub from the UEFI partition, and Grub starts the kernel from a separate /boot partition. And I see no way to change this I use a 3 partition setup where the partitions are 1. FAT UEFI partition, 2. Linux ext4 /boot partition, 3. Encrypted LUKS ext4 root partition. I've been looking into https://trac.gateworks.com/wiki/secure_boot#SecuringtheKernelFDTramdiskviaFITimages But is that possible to do with my current setup? Can I include grub and the kernel/initrd in the boot.img and make u-boot use that instead of from the UEFI partition?
Jonas
