Hi,
I'm using openSUSE Tumbleweed on RPI CM4, unlike Raspberry Pi OS, it uses U-boot and Grub.
My setup has 3 partitions where the partitions are 1. (FAT)UEFI Boot, 2. ext4 Linux /boot (un-encrypted), 3. uncrypted Linux LUKS ext4 root (/)
To setup secure boot, I've signed a boot.img witch contains config.txt, extraconfig.txt, u-boot.bin, start.elf, start4.elf, fixup.dat, fixup4.dat, .dtb files and overlays. So instead of the linux kernel and initrd, it has u-boot. This currently boots, but I assume someone could just replace the kernel on the /boot partition, so secure boot is not actually secure.
So is there a way to lock which kernel and initrd boots?
Jonas
I'm using openSUSE Tumbleweed on RPI CM4, unlike Raspberry Pi OS, it uses U-boot and Grub.
My setup has 3 partitions where the partitions are 1. (FAT)UEFI Boot, 2. ext4 Linux /boot (un-encrypted), 3. uncrypted Linux LUKS ext4 root (/)
To setup secure boot, I've signed a boot.img witch contains config.txt, extraconfig.txt, u-boot.bin, start.elf, start4.elf, fixup.dat, fixup4.dat, .dtb files and overlays. So instead of the linux kernel and initrd, it has u-boot. This currently boots, but I assume someone could just replace the kernel on the /boot partition, so secure boot is not actually secure.
So is there a way to lock which kernel and initrd boots?
Jonas
Statistics: Posted by jonaski — Mon Aug 12, 2024 2:14 pm