Re: [RFC PATCH 4/4] kern/efi/sb: Use shim to verify font files

[Robbie Harwood]

Zhang Boyang <zhangboyang.id@gmail.com> writes:

> Since font files can be wrapped as PE images by grub-wrap, use shim to
> verify font files if Secure Boot is enabled. To prevent other PE files
> (e.g. kernel images) used as wrappers, it only allows files marked as
> Windows GUI used as wrappers.

Thanks for writing this; it's helpful to have something concrete to look
at.

This approach is very font-focused, and while I understand that given
the discussion, I do still wonder if it wouldn't be better to make fonts
an instance of modules.  If fonts become instances of modules, and
modules are wrapped into PE files, that not only seems cleaner but also
gives us signed module support without baking those into the image.

What do you think?

Be well,
--Robbie

signature.asc
Description: PGP signature