Re: EFI and multiboot2 devlopment work for Xen

[Vladimir 'φ-coder/phcoder' Serbinenko]

On 22.10.2013 19:12, Andrey Borzenkov wrote:
> В Mon, 21 Oct 2013 23:16:24 +0200
> Vladimir 'φ-coder/phcoder' Serbinenko <address@hidden> пишет:
> 
>> GRUB has generic support for signing kernels/modules/whatsoever using
>> GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This
>> method doesn't have any controversy associated with EFI stuff but at
>> this particular case does exactly the same thing: verify signature.
>> multiboot2 is mainly memory structure specification so probably how the
>> files are checked is outside of its scope. But it's possible to add
>> specification on how to embed signatures in kernel.
>>
> 
> I'm a bit skeptical here. Given that
> 
> - EFI secure boot will still be needed to handle Windows
> - kernel can be launched directly as EFI application
> - there are other bootloaders with secure boot support
> 
> distributions will likely need to carry on EFI secure boot support. At
> which point it is not clear what advantages second, parallel,
> infrastructure for the sake of single application will bring.
> 
Using PE signatures is possible as I already said which invalidates your
points.
> The most compelling reason would be allowing module loading (which is
> currently disabled by secure boot patches).
>

signature.asc
Description: OpenPGP digital signature