[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [RFC] UEFI Secure Boot on Xen Hosts
On Wed, Apr 29, 2020 at 05:51:08PM -0500, Bobby Eshleman wrote: > > # Option #1: PE/COFF and Shim > ... snip ... > > # Option #3: Lean on Grub2's LoadFile2() Verification > ... snip ... It's safe to say that the options boiled down to #1 and #3. Seeing as how we may not be able to start playing with the new Grub functionality for some time, and also seeing as how the security properties of each approach are very similar, I think that option #1 is probably the best path for what we are looking to achieve in supporting UEFI SB. With out any strong objections against this, that'll be the path we start heading down (starting with Daniel's patch set) and will be hoping to get upstream. If possible, the implementation would support both SHIM_LOCK and LoadFile2(), potentially by one falling back to other upon reporting a security violation, or detecting the functionality provided by Grub in some manner... but this will be easier to evaluate after seeing how the LoadFile2() mechanism will work. If LoadFile2() proves itself a better approach, we would not be opposed to moving in that direction when it is available. I started joining community calls shortly after the intent of 'docs/design' was discussed there. Is this a change that merits a 'docs/design' RFC? Best regards, Bobby
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |