grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RFC PATCH 0/4] Wrap font files into PE files


From: Zhang Boyang
Subject: [RFC PATCH 0/4] Wrap font files into PE files
Date: Mon, 5 Dec 2022 21:06:01 +0800

Hi,

This patchset introduces a utility: grub-wrap. It can wrap a non-PE file
as a PE file, which can be subsequently digitally signed (and verified
by shim). The wrapped file will be unwrapped at runtime automatically
and transparently by the unwrap filter.

With grub-wrap, a PF2 font file can be wrapped and digitally signed. The
name of PE section must be .GRUBpf2, to clearly identifies such PE file
is a wrapper of a PF2 font file.

Example usage:

# generate a MOK key for signing
pesign --certficate 'MyKey' --export-cert MyKey.crt

# import the new MOK key
mokutil --import MyKey.crt 
reboot

# wrap unicode.pf2 as unicode.pf2.dll
grub-wrap --input unicode.pf2 --output unicode.pf2.dll --name .GRUBpf2 -O 
x86_64-efi

# sign the wrapper with MOK key
pesign --in unicode.pf2.dll --out /boot/grub/fonts/unicode.pf2 --force 
--certficate 'MyKey' --sign

There is one problem: those wrappers mustn't be accepted by other PE
loaders. To distinguish these wrappers from normal EFI applications, I
decided to make these wrappers looks like plain Windows resource-only
DLLs (no entry point, and subsystem tag is set to Windows GUI instead of
EFI Application). Currently, shim, tianocore, and my patched GRUB will
reject these wrappers while trying to use them as executables. However,
I'm not sure whether in-market UEFI firmwares will reject them. So I
think the best workaround is to forbid keys available in firmware from
signing these wrappers, and only use keys in shim to sign wrappers (this
seems like exactly what we are doing for GRUB itself).

Best Regards,
Zhang Boyang





reply via email to

[Prev in Thread] Current Thread [Next in Thread]