[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20131023074334.GS3626@debian70-amd64.local.net-space.pl>
Date: Wed, 23 Oct 2013 09:43:34 +0200
From: Daniel Kiper <daniel.kiper@...cle.com>
To: "Vladimir 'φ-coder/phcoder' Serbinenko"
<phcoder@...il.com>
Cc: The development of GNU GRUB <grub-devel@....org>,
boris.ostrovsky@...cle.com, david.woodhouse@...el.com,
ian.campbell@...rix.com, jbeulich@...e.com, keir@....org,
konrad.wilk@...cle.com, pjones@...hat.com,
richard.l.maliszewski@...el.com, ross.philipson@...rix.com,
stefano.stabellini@...citrix.com, xen-devel@...ts.xen.org,
linux-kernel@...r.kernel.org
Subject: Re: EFI and multiboot2 devlopment work for Xen
On Mon, Oct 21, 2013 at 11:16:24PM +0200, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
> Mail is big, I think I got your essential points but I didn't read it whole.
> On 21.10.2013 14:57, Daniel Kiper wrote:
> > Hi,
> >
> > During work on multiboot2 protocol support for Xen it was discovered
> > that memory map passed via relevant tag could not represent wide range
> > of memory types available on EFI platforms. Additionally, GRUB2
> > implementation calls ExitBootServices() on them just before jumping
> > into loaded image. In this situation loaded system could not clearly
> > identify reserved memory regions, EFI runtime services regions and others.
> >
> Will a multiboot2 tag with whole EFI memory map solve your problem?
> > Additionally, it should be mentioned that there is no possibility or it could
> > be very difficult to implement secure boot on EFI platforms using GRUB2 as boot
> > loader because, as it was mentioned earlier, it calls ExitBootServices().
> >
> GRUB has generic support for signing kernels/modules/whatsoever using
> GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This
> method doesn't have any controversy associated with EFI stuff but at
> this particular case does exactly the same thing: verify signature.
> multiboot2 is mainly memory structure specification so probably how the
> files are checked is outside of its scope. But it's possible to add
> specification on how to embed signatures in kernel.
I think that EFI signatures should be supported because they are quite
common right now. However, I think that it is also worth to support
GnuPG signatures. This way anybody will be able to choose good solution
for a given case.
Daniel
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists