Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- wiki:secureboot [2024/03/29 18:44] – [SUSE] pulsar
+++ wiki:secureboot [2024/03/29 20:16] – [shim Bootloader] pulsar
@@ Zeile 115: / Zeile 115: @@
   # shim-install
   No valid EFI partition
+The default boot loader used by openSUSE on UEFI systems is grub2. When in secure boot mode, an additional boot loader called 'shim' is used too. Instead of directly calling grub2 in that mode the firmware first loads 'shim'. 'shim' carries a signature by Microsoft in order to be recognized by the firmware. 'shim' in turn knows about the openSUSE certificate that was used to sign grub2. grub2 then is able to load linux kernels that are also signed by the openSUSE certificates. After loading the Linux kernel the scope of secure boot ends. The linux kernel used in openSUSE does not impose additional restrictions.
+In order to allow having custom boot loaders as well as custom kernels shim offers a way to import custom signatures. The program 'MokManager' is used for that purpose. When 'shim' is instructed to load a binary that is not signed by a well known entity it calls into MokManager which allows to import certificates into the database of well known signature issuers.