Re: EFI and multiboot2 devlopment work for Xen

From: Vladimir 'Ï-coder/phcoder' Serbinenko
Date: Tue Oct 22 2013 - 13:20:54 EST


On 22.10.2013 19:12, Andrey Borzenkov wrote:
> Ð Mon, 21 Oct 2013 23:16:24 +0200
> Vladimir 'Ï-coder/phcoder' Serbinenko <phcoder@xxxxxxxxx> ÐÐÑÐÑ:
>
>> GRUB has generic support for signing kernels/modules/whatsoever using
>> GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This
>> method doesn't have any controversy associated with EFI stuff but at
>> this particular case does exactly the same thing: verify signature.
>> multiboot2 is mainly memory structure specification so probably how the
>> files are checked is outside of its scope. But it's possible to add
>> specification on how to embed signatures in kernel.
>>
>
> I'm a bit skeptical here. Given that
>
> - EFI secure boot will still be needed to handle Windows
> - kernel can be launched directly as EFI application
> - there are other bootloaders with secure boot support
>
> distributions will likely need to carry on EFI secure boot support. At
> which point it is not clear what advantages second, parallel,
> infrastructure for the sake of single application will bring.
>
Using PE signatures is possible as I already said which invalidates your
points.
> The most compelling reason would be allowing module loading (which is
> currently disabled by secure boot patches).
>


Attachment: signature.asc
Description: OpenPGP digital signature