Hi Jonas, On Mon, 19 Aug 2024 at 07:11, Jonas Kvinge <[email protected]> wrote: > > Hi, > > I have a custom installation of openSUSE Tumbleweed which uses u-boot > and Grub. > To use secure boot on the RPI, one creates a boot.img containing the > kernel and other files which is signed, and the eeprom is locked to > only allow booting with this signature. > (https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md > ). > Since I'm using u-boot, I'm creating a boot.img containing u-boot.bin > instead of the linux kernel and ramdisk. > But then nothing is locking down which kernel can boot, since that's > controller by UEFI and Grub. u-boot starts Grub from the UEFI > partition, and Grub starts the kernel from a separate /boot partition. > And I see no way to change this > I use a 3 partition setup where the partitions are 1. FAT UEFI > partition, 2. Linux ext4 /boot partition, 3. Encrypted LUKS ext4 root > partition. > I've been looking into > https://trac.gateworks.com/wiki/secure_boot#SecuringtheKernelFDTramdiskviaFITimages > But is that possible to do with my current setup? Can I include grub > and the kernel/initrd in the boot.img and make u-boot use that instead > of from the UEFI partition?
It's 'U-Boot', BTW. I don't fully understand your situation, but you should be able to use FIT as there is an EFI test for it - see test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py Note that RPI typically uses a private bootloader, so I'm not sure how secure it can actually be. Regards, Simon
