[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: EFI and multiboot2 devlopment work for Xen
From: |
Daniel Kiper |
Subject: |
Re: EFI and multiboot2 devlopment work for Xen |
Date: |
Wed, 23 Oct 2013 09:43:34 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Mon, Oct 21, 2013 at 11:16:24PM +0200, Vladimir 'φ-coder/phcoder' Serbinenko
wrote:
> Mail is big, I think I got your essential points but I didn't read it whole.
> On 21.10.2013 14:57, Daniel Kiper wrote:
> > Hi,
> >
> > During work on multiboot2 protocol support for Xen it was discovered
> > that memory map passed via relevant tag could not represent wide range
> > of memory types available on EFI platforms. Additionally, GRUB2
> > implementation calls ExitBootServices() on them just before jumping
> > into loaded image. In this situation loaded system could not clearly
> > identify reserved memory regions, EFI runtime services regions and others.
> >
> Will a multiboot2 tag with whole EFI memory map solve your problem?
> > Additionally, it should be mentioned that there is no possibility or it
> > could
> > be very difficult to implement secure boot on EFI platforms using GRUB2 as
> > boot
> > loader because, as it was mentioned earlier, it calls ExitBootServices().
> >
> GRUB has generic support for signing kernels/modules/whatsoever using
> GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This
> method doesn't have any controversy associated with EFI stuff but at
> this particular case does exactly the same thing: verify signature.
> multiboot2 is mainly memory structure specification so probably how the
> files are checked is outside of its scope. But it's possible to add
> specification on how to embed signatures in kernel.
I think that EFI signatures should be supported because they are quite
common right now. However, I think that it is also worth to support
GnuPG signatures. This way anybody will be able to choose good solution
for a given case.
Daniel
- Re: EFI and multiboot2 devlopment work for Xen, (continued)
- Re: EFI and multiboot2 devlopment work for Xen, Seth Goldberg, 2013/10/23
- Re: EFI and multiboot2 devlopment work for Xen, Vladimir 'φ-coder/phcoder' Serbinenko, 2013/10/23
- Re: EFI and multiboot2 devlopment work for Xen, Konrad Rzeszutek Wilk, 2013/10/28
- Re: EFI and multiboot2 devlopment work for Xen, Vladimir 'φ-coder/phcoder' Serbinenko, 2013/10/28
- Re: EFI and multiboot2 devlopment work for Xen, Jan Beulich, 2013/10/29
- Is: Wrap-up Was: Re: EFI and multiboot2 devlopment work for Xen, Daniel Kiper, 2013/10/30
- Re: Is: Wrap-up Was: Re: EFI and multiboot2 devlopment work for Xen, Vladimir 'φ-coder/phcoder' Serbinenko, 2013/10/30
- Re: EFI and multiboot2 devlopment work for Xen, Seth Goldberg, 2013/10/28
Re: EFI and multiboot2 devlopment work for Xen, Andrey Borzenkov, 2013/10/22
Re: EFI and multiboot2 devlopment work for Xen,
Daniel Kiper <=