Changes for page UEFI Secure Boot

Summary

• Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

...	...	@@ -1,3 +1,5 @@
	1	+and verifies its signature using the distribution certificates embedded in the Shim package.
	2	+
1	1	{{aagon.floatingbox/}}
2	2
3	3	For systems with UEFI firmware and Secure Boot activated, the PXE boot process differs fundamentally from classic legacy boot via BIOS. UEFI uses a modern architecture model based on 64-bit operation, modular expandability and cryptographic verification. While legacy boot loads arbitrary code without integrity checks, Secure Boot enforces a continuous chain of trust that extends from the firmware starter to the kernel. Each component must be digitally signed in order to be executed.
...	...	@@ -5,24 +5,24 @@
5	5	Since the Shim bootloader is signed by Microsoft, it is classified as trustworthy by the firmware. The Shim package also contains certificates for the respective distribution, which are used to verify the subsequent components (such as GRUB, the kernel and the initramfs). It is crucial that the certificate chain remains unchanged throughout the entire boot process so that each component is only loaded from an authorized source.
6	6
7	7
8		-= Ablauf des PXE-Boots im UEFI-Modus =
	10	+= PXE boot process in UEFI mode =
9	9
10		-Der Ablauf gestaltet sich typischerweise wie folgt:
	12	+The process typically proceeds as follows:
11	11
12		-1. **UEFI-Firmware-Initialisierung**
13		-Die Firmware initialisiert Hardwarekomponenten und prüft, ob Secure Boot aktiv ist. Anschließend startet sie den Netzwerkstack für den PXE-Boot.
14		-1. **DHCP-Anfrage und Bootdatei-Zuweisung**
15		-Der PXE-Client sendet eine DHCP-Anfrage und erhält IP-Adresse, Bootserver (TFTP/HTTP) und den Namen der zu ladenden Bootdatei, typischerweise ##bootx64.efi##.
16		-1. **Shim-Start (Microsoft-signiert)**
17		-Die Firmware lädt ##bootx64.efi## (den Shim-Bootloader). Da dieser von Microsoft signiert ist, wird er als vertrauenswürdig akzeptiert.
18		-1. **GRUB-Start (Distribution-signiert)**
19		-Der Shim-Bootloader lädt ##grubx64.efi## und überprüft dessen Signatur anhand der im Shim-Paket eingebetteten Zertifikate der Distribution.
20		-1. **Kernel- und Initramfs-Start**
21		-GRUB lädt den Kernel (##vmlinuz##) und die Initramfs (##initrd.img##). Beide müssen signiert sein, sonst verweigert Secure Boot den Startvorgang.
22		-1. **Systemstart und Schlüsselprüfung**
23		-Erst wenn alle Signaturen gültig sind, wird der Kernel ausgeführt und das Betriebssystem gebootet.
	14	+1. **UEFI firmware initialisation**
	15	+The firmware initialises hardware components and checks whether Secure Boot is active. It then starts the network stack for PXE boot.
	16	+1. **DHCP request and boot file assignment**
	17	+The PXE client sends a DHCP request and receives the IP address, boot server (TFTP/HTTP) and the name of the boot file to be loaded, typically ##bootx64.efi##.
	18	+1. **Shim start (Microsoft signed)**
	19	+The firmware loads ##bootx64.efi## (the Shim bootloader). Since this is signed by Microsoft, it is accepted as trustworthy.
	20	+1. **GRUB boot (Distribution signed)**
	21	+The Shim bootloader loads ##grubx64.efi## and verifies its signature using the distribution certificates embedded in the Shim package.
	22	+1. **Kernel and initramfs start**
	23	+GRUB loads the kernel (##vmlinuz##) and the initramfsd (##initrd.img##). Both must be signed, otherwise Secure Boot will deny access to the boot process.
	24	+1. **System start and key verification**
	25	+Only when all signatures are valid will the kernel be executed and the operating system booted.
24	24
25		-Diese Architektur stellt sicher, dass während des gesamten Bootvorgangs nur verifizierte und signierte Komponenten ausgeführt werden.
	27	+This architecture ensures that only verified and signed components are executed during the entire boot process.
26	26
27	27	= Vorbereitung der Bootdateien =
28	28