[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE
|
From: |
Ross Lagerwall |
|
Subject: |
Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type |
|
Date: |
Thu, 14 Mar 2024 14:24:31 +0000 |
On Thu, Mar 14, 2024 at 1:37 PM Jan Beulich <jbeulich@suse.com> wrote:
>
> On 14.03.2024 10:30, Ross Lagerwall wrote:
> > On Thu, Mar 14, 2024 at 7:24 AM Jan Beulich <jbeulich@suse.com> wrote:
> >>
> >> On 13.03.2024 16:07, Ross Lagerwall wrote:
> >>> In addition to the existing address and ELF load types, specify a new
> >>> optional PE binary load type. This new type is a useful addition since
> >>> PE binaries can be signed and verified (i.e. used with Secure Boot).
> >>
> >> And the consideration to have ELF signable (by whatever extension to
> >> the ELF spec) went nowhere?
> >>
> >
> > I'm not sure if you're referring to some ongoing work to create signable
> > ELFs that I'm not aware of.
>
> Something must have been invented already to make Linux modules signable.
Linux module signatures operate outside of the ELF container. In fact,
AFAIK the actual signed content could be anything. The file format is:
* Content (i.e. ELF binary)
* Signature of content in PKCS7 format
* Signature info, including signature length
* Magic marker: "~Module signature appended~\n"
This kind of arrangement does indeed work but it is fragile. Since the
signature is on the entire contents and tools that understand ELF don't
parse the signature, any transformation of the binary (e.g. to
strip out debuginfo) will cause the signature to be lost / invalidated.
Nevertheless, this could still be an option for Xen if this is
deemed to be a preferred solution by others. It would be good to hear
some opinions on this.
>
> > I didn't choose that route because:
> >
> > * Signed PE binaries are the current standard for Secure Boot.
> >
> > * Having signed ELF binaries would mean that code to handle them needs
> > to be added to Shim which contravenes its goals of being small and
> > simple to verify.
>
> Both true, but neither goes entirely without saying, I suppose.
>
> > * I could be wrong on this but to my knowledge, the ELF format is not
> > being actively updated nor is the standard owned/maintained by a
> > specific group which makes updating it difficult.
>
> And PE/COFF isn't under control of a public entity / group afaik, which
> may be viewed as no better, if not worse.
Agreed, I guess my point was that PE/COFF doesn't need to be updated to
support signing because it already supports it.
Thanks,
Ross
- [PATCH 0/7] GRUB: Supporting Secure Boot of xen.gz, Ross Lagerwall, 2024/03/13
- [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type, Ross Lagerwall, 2024/03/13
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type, Jan Beulich, 2024/03/14
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type, Damien Zammit, 2024/03/14
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type, Vladimir 'phcoder' Serbinenko, 2024/03/14
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type, Ross Lagerwall, 2024/03/14
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type, Jan Beulich, 2024/03/14
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type,
Ross Lagerwall <=
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type, Jan Beulich, 2024/03/14
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type, Roger Pau Monné, 2024/03/19
Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type, Roger Pau Monné, 2024/03/19
[PATCH 3/7] multiboot2: Add support for the load type header tag, Ross Lagerwall, 2024/03/13
[PATCH 2/7] multiboot2: Allow 64-bit entry tags, Ross Lagerwall, 2024/03/13