|
| From: | Dimitri John Ledkov |
| Subject: | Re: [RFC PATCH 4/4] kern/efi/sb: Use shim to verify font files |
| Date: | Wed, 7 Dec 2022 03:47:21 +0000 |
On Tue, Dec 06, 2022 at 11:09:57AM -0500, Robbie Harwood wrote:
> Zhang Boyang <zhangboyang.id@gmail.com> writes:
>
> > Since font files can be wrapped as PE images by grub-wrap, use shim to
> > verify font files if Secure Boot is enabled. To prevent other PE files
> > (e.g. kernel images) used as wrappers, it only allows files marked as
> > Windows GUI used as wrappers.
>
> Thanks for writing this; it's helpful to have something concrete to look
> at.
>
> This approach is very font-focused, and while I understand that given
> the discussion, I do still wonder if it wouldn't be better to make fonts
> an instance of modules. If fonts become instances of modules, and
> modules are wrapped into PE files, that not only seems cleaner but also
> gives us signed module support without baking those into the image.
Why not just making the PE wrap applicable to all file types, be it font
files, grub modules or even (static) initrd. Providing a solution to
sign arbitrary data or binary with this PE envelope sounds to me a very
attractive feature and worthwhile the extra miles. :)
Thanks,
Michael
>
> What do you think?
>
> Be well,
> --Robbie
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
| [Prev in Thread] | Current Thread | [Next in Thread] |