Next: , Previous: , Up: Security   [Contents][Index]

18.3 UEFI secure boot and shim support

The GRUB, except the chainloader command, works with the UEFI secure boot and the shim. This functionality is provided by the shim_lock module. It is recommend to build in this and other required modules into the core.img. All modules not stored in the core.img and the ACPI tables for the acpi command have to be signed, e.g. using PGP. Additionally, the iorw, the memrw and the wrmsr commands are prohibited if the UEFI secure boot is enabled. This is done due to security reasons. All above mentioned requirements are enforced by the shim_lock module. And itself it is a persistent module which means that it cannot be unloaded if it was loaded into the memory.