RFC: Signed grub extension images

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RFC: Signed grub extension images

From:	Julian Andres Klode
Subject:	RFC: Signed grub extension images
Date:	Wed, 26 Jul 2023 11:52:58 +0200

Hi,

after some thinking about device trees and secure boot today, I
pondered if we should just allow wrapping a filesystem image in a
signed PE binary into a "grubext" section perhaps. Use cases can be:

- signed fonts packages
- signed themes packages
- signed device trees

This probably needs some reworking of the verifiers such that if we
load files from the image in the signed PE, they inherit the
verification.

The caveat is that this works for architectures with secure uefi boot,
but for example, the secure boot on POWER has a different scheme for
signing.

A GPG-based solution which grub already has kind of works for
everyone, but it involves gpg and exists outside the normal boot trust
chain which seems suboptimal to me - tying the data we load directly
to the shim or firmware certificate is a nicer theory.

[Prev in Thread]

Current Thread

[Next in Thread]

RFC: Signed grub extension images, Julian Andres Klode <=

Prev by Date: [PATCH] util/grub-mount: fix memory leak in fuse_getattr
Next by Date: [PATCH] docs: Group usage of user-space utilities into single chapter
Previous by thread: [PATCH] util/grub-mount: fix memory leak in fuse_getattr
Next by thread: [PATCH] docs: Group usage of user-space utilities into single chapter
Index(es):
- Date
- Thread