From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VYfVh-0000PS-Hn for mharc-grub-devel@gnu.org; Tue, 22 Oct 2013 13:12:49 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50651) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYfVX-0000Om-VZ for grub-devel@gnu.org; Tue, 22 Oct 2013 13:12:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VYfVP-00052k-Gu for grub-devel@gnu.org; Tue, 22 Oct 2013 13:12:39 -0400 Received: from mail-la0-x22d.google.com ([2a00:1450:4010:c03::22d]:51788) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYfVP-00051j-7L for grub-devel@gnu.org; Tue, 22 Oct 2013 13:12:31 -0400 Received: by mail-la0-f45.google.com with SMTP id hp15so2534563lab.32 for ; Tue, 22 Oct 2013 10:12:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type; bh=GYX3l64PD+14sWtOk6mN95/DYj/uPJhWZsXsUdOw7R0=; b=HNV7jIUJB9p17xEup39Rtepzm7yn7wzH0Yt8tIDyxD+Fx9ACqXIlX6MIrz0eBPZM1+ MeYtdx1HkGtxjLtM3c1DhwoWKKkgUV0cXVkV5rsufeAvnaJTx+TQWvgbskKbyEtVcHFz /j9vpXlZVssYAHXZn/3uEs6GGWEnXMzElBoKmScjGucj1x/HMpyHpGwFbX6/FhPyTKSc siJsyEWrqGOVvAlIOFkJnqACzD6wqqFS8Nn7HqZLU5QKUiwwgSXCSgfq3bBdABzG7lOY naeHmL56xGhY7LqjyGfFRgjjaQ63NAQrfmwAxDbv8NId0c4s8IlqdXS7gGu+Vd/K84qV nRpg== X-Received: by 10.152.20.74 with SMTP id l10mr2072490lae.46.1382461949501; Tue, 22 Oct 2013 10:12:29 -0700 (PDT) Received: from opensuse.site (ppp91-76-150-246.pppoe.mtu-net.ru. [91.76.150.246]) by mx.google.com with ESMTPSA id ny3sm16395452lbb.12.2013.10.22.10.12.28 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Tue, 22 Oct 2013 10:12:28 -0700 (PDT) Date: Tue, 22 Oct 2013 21:12:27 +0400 From: Andrey Borzenkov To: The development of GNU GRUB Subject: Re: EFI and multiboot2 devlopment work for Xen Message-ID: <20131022211227.367d3997@opensuse.site> In-Reply-To: <526599A8.9090501@gmail.com> References: <20131021125756.GA3626@debian70-amd64.local.net-space.pl> <526599A8.9090501@gmail.com> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.18; x86_64-suse-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/bA_TVaiY6NygKBBuw1sdoQ2"; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4010:c03::22d Cc: keir@xen.org, ian.campbell@citrix.com, stefano.stabellini@eu.citrix.com, phcoder@gmail.com, Daniel Kiper , linux-kernel@vger.kernel.org, xen-devel@lists.xen.org, jbeulich@suse.com, ross.philipson@citrix.com, boris.ostrovsky@oracle.com, richard.l.maliszewski@intel.com, david.woodhouse@intel.com X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 17:12:48 -0000 --Sig_/bA_TVaiY6NygKBBuw1sdoQ2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =D0=92 Mon, 21 Oct 2013 23:16:24 +0200 Vladimir '=CF=86-coder/phcoder' Serbinenko =D0=BF=D0=B8= =D1=88=D0=B5=D1=82: > GRUB has generic support for signing kernels/modules/whatsoever using > GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This > method doesn't have any controversy associated with EFI stuff but at > this particular case does exactly the same thing: verify signature. > multiboot2 is mainly memory structure specification so probably how the > files are checked is outside of its scope. But it's possible to add > specification on how to embed signatures in kernel. >=20 I'm a bit skeptical here. Given that - EFI secure boot will still be needed to handle Windows - kernel can be launched directly as EFI application - there are other bootloaders with secure boot support distributions will likely need to carry on EFI secure boot support. At which point it is not clear what advantages second, parallel, infrastructure for the sake of single application will bring. The most compelling reason would be allowing module loading (which is currently disabled by secure boot patches). --Sig_/bA_TVaiY6NygKBBuw1sdoQ2 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlJmsfsACgkQR6LMutpd94xY7ACfenRofnQwW+3fSdx6k3OWsUPM G5IAnjj9Llm0MxKJg+82+cdoMHGZpamj =+ahS -----END PGP SIGNATURE----- --Sig_/bA_TVaiY6NygKBBuw1sdoQ2-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753794Ab3JVRMc (ORCPT ); Tue, 22 Oct 2013 13:12:32 -0400 Received: from mail-lb0-f169.google.com ([209.85.217.169]:46176 "EHLO mail-lb0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753018Ab3JVRMa (ORCPT ); Tue, 22 Oct 2013 13:12:30 -0400 Date: Tue, 22 Oct 2013 21:12:27 +0400 From: Andrey Borzenkov To: The development of GNU GRUB Cc: phcoder@gmail.com, keir@xen.org, ian.campbell@citrix.com, Daniel Kiper , stefano.stabellini@eu.citrix.com, linux-kernel@vger.kernel.org, ross.philipson@citrix.com, jbeulich@suse.com, boris.ostrovsky@oracle.com, xen-devel@lists.xen.org, richard.l.maliszewski@intel.com, david.woodhouse@intel.com Subject: Re: EFI and multiboot2 devlopment work for Xen Message-ID: <20131022211227.367d3997@opensuse.site> In-Reply-To: <526599A8.9090501@gmail.com> References: <20131021125756.GA3626@debian70-amd64.local.net-space.pl> <526599A8.9090501@gmail.com> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.18; x86_64-suse-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/bA_TVaiY6NygKBBuw1sdoQ2"; protocol="application/pgp-signature" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --Sig_/bA_TVaiY6NygKBBuw1sdoQ2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =D0=92 Mon, 21 Oct 2013 23:16:24 +0200 Vladimir '=CF=86-coder/phcoder' Serbinenko =D0=BF=D0=B8= =D1=88=D0=B5=D1=82: > GRUB has generic support for signing kernels/modules/whatsoever using > GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This > method doesn't have any controversy associated with EFI stuff but at > this particular case does exactly the same thing: verify signature. > multiboot2 is mainly memory structure specification so probably how the > files are checked is outside of its scope. But it's possible to add > specification on how to embed signatures in kernel. >=20 I'm a bit skeptical here. Given that - EFI secure boot will still be needed to handle Windows - kernel can be launched directly as EFI application - there are other bootloaders with secure boot support distributions will likely need to carry on EFI secure boot support. At which point it is not clear what advantages second, parallel, infrastructure for the sake of single application will bring. The most compelling reason would be allowing module loading (which is currently disabled by secure boot patches). --Sig_/bA_TVaiY6NygKBBuw1sdoQ2 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlJmsfsACgkQR6LMutpd94xY7ACfenRofnQwW+3fSdx6k3OWsUPM G5IAnjj9Llm0MxKJg+82+cdoMHGZpamj =+ahS -----END PGP SIGNATURE----- --Sig_/bA_TVaiY6NygKBBuw1sdoQ2--