| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Oct 2013 09:43:34 +0200 From: Daniel Kiper <daniel.kiper@...cle.com> To: "Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@...il.com> Cc: The development of GNU GRUB <grub-devel@....org>, boris.ostrovsky@...cle.com, david.woodhouse@...el.com, ian.campbell@...rix.com, jbeulich@...e.com, keir@....org, konrad.wilk@...cle.com, pjones@...hat.com, richard.l.maliszewski@...el.com, ross.philipson@...rix.com, stefano.stabellini@...citrix.com, xen-devel@...ts.xen.org, linux-kernel@...r.kernel.org Subject: Re: EFI and multiboot2 devlopment work for Xen On Mon, Oct 21, 2013 at 11:16:24PM +0200, Vladimir 'φ-coder/phcoder' Serbinenko wrote: > Mail is big, I think I got your essential points but I didn't read it whole. > On 21.10.2013 14:57, Daniel Kiper wrote: > > Hi, > > > > During work on multiboot2 protocol support for Xen it was discovered > > that memory map passed via relevant tag could not represent wide range > > of memory types available on EFI platforms. Additionally, GRUB2 > > implementation calls ExitBootServices() on them just before jumping > > into loaded image. In this situation loaded system could not clearly > > identify reserved memory regions, EFI runtime services regions and others. > > > Will a multiboot2 tag with whole EFI memory map solve your problem? > > Additionally, it should be mentioned that there is no possibility or it could > > be very difficult to implement secure boot on EFI platforms using GRUB2 as boot > > loader because, as it was mentioned earlier, it calls ExitBootServices(). > > > GRUB has generic support for signing kernels/modules/whatsoever using > GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This > method doesn't have any controversy associated with EFI stuff but at > this particular case does exactly the same thing: verify signature. > multiboot2 is mainly memory structure specification so probably how the > files are checked is outside of its scope. But it's possible to add > specification on how to embed signatures in kernel. I think that EFI signatures should be supported because they are quite common right now. However, I think that it is also worth to support GnuPG signatures. This way anybody will be able to choose good solution for a given case. Daniel -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists