From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1p07A9-0003PJ-Io for mharc-grub-devel@gnu.org; Tue, 29 Nov 2022 15:25:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p07A6-0003ON-3G for grub-devel@gnu.org; Tue, 29 Nov 2022 15:25:02 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p07A3-0005M3-7S for grub-devel@gnu.org; Tue, 29 Nov 2022 15:25:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1669753497; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kQX2Z1iBzNY+m32/r7XfEMuuak8kZN0D32Ng3p7DZO0=; b=F1M1ex1Q/T51H1vk/hhsKFNKaXgZOJKQWkrYKzy29jwFk4E44R3U7p7MWFTD1glh9wJv9q sRVv1ojFSXopq3tVGcaEHry3gEl6cWp1FtMf+IucC8zJpf7C6lVMIABxhuI8IFE6iEyWzx bVI/ngthYqWfjArMX5Cf1FguauAlFAQ= Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-237-E6WFCJtxP0WUF1tnqg4B7A-1; Tue, 29 Nov 2022 15:24:55 -0500 X-MC-Unique: E6WFCJtxP0WUF1tnqg4B7A-1 Received: by mail-qv1-f70.google.com with SMTP id mr7-20020a056214348700b004c6806b646dso21805197qvb.14 for ; Tue, 29 Nov 2022 12:24:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:date:references:in-reply-to:subject:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=kQX2Z1iBzNY+m32/r7XfEMuuak8kZN0D32Ng3p7DZO0=; b=SKGVxNuNuHFzjA8hdqvVuz+MOcWyj1lxs91xuqTK+krSckrwe97ItOdW/GlElLG2e/ PLQevI0WM0u55HgEabzC24Tj0zaBYnOBI0f5Q1mauCxV8ZzWMOf07yFfDlVoLs9M7tNR TvEeaC3CaNU4+Kb5tHcErXwabNwTZCJ66/jdC3mHZiQmYxsRZUDclUieO1z7ausJGGZK g9T9MuJ8vprmXgOSx6+uF/ZFlcXXablG/LAr6gVDT9ahKMwV67/GgOdKyrtWNAnATq1l AACaiMJnqPhGJHZ+kKpcnPXHzzgOBv3yYXIKgeQb7MrlVi207AoAq+I8iHmeayxoS8aW PWmg== X-Gm-Message-State: ANoB5pn3atafNKybfaxXpes2OGx7cwdRPg7jlrLfB4D66g9DllONVXq4 Y1nMlNoORZsiZ86lvbL2KebNP1BGUg+GLKwjwo/dxKPlIkES/Y/MwBbIpBRBXe0Ja6hiKUxsyEx vxVIEff4SYYw= X-Received: by 2002:a0c:eacd:0:b0:4b1:166:bd26 with SMTP id y13-20020a0ceacd000000b004b10166bd26mr38053227qvp.21.1669753495167; Tue, 29 Nov 2022 12:24:55 -0800 (PST) X-Google-Smtp-Source: AA0mqf4EJkD0HndhwvSPoH4JdS7G/uKpUyu2Rc6xsxKLAHX1NMPuQMUkkfmfWrLodqAC0SrCLTbd4A== X-Received: by 2002:a0c:eacd:0:b0:4b1:166:bd26 with SMTP id y13-20020a0ceacd000000b004b10166bd26mr38053188qvp.21.1669753494646; Tue, 29 Nov 2022 12:24:54 -0800 (PST) Received: from localhost ([2600:4040:520a:8800:7d1c:f0a7:5c44:ed0e]) by smtp.gmail.com with ESMTPSA id l17-20020a37f911000000b006fc447eebe5sm10964927qkj.27.2022.11.29.12.24.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Nov 2022 12:24:54 -0800 (PST) From: Robbie Harwood To: Steve McIntyre , grub-devel@gnu.org Subject: Re: Fonts and theming and what to do in future with SB In-Reply-To: <20221129183523.GN3245702@tack.einval.com> References: <20221129183523.GN3245702@tack.einval.com> Date: Tue, 29 Nov 2022 15:24:51 -0500 Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=170.10.129.124; envelope-from=rharwood@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2022 20:25:02 -0000 --=-=-= Content-Type: text/plain Steve McIntyre writes: > Hey folks! > > So, with the latest set of GRUB CVE patches we've fixed up a bunch of > potential crashes in font-handling code that could lead to Secure Boot > holes. These are good and useful fixes, and thanks to Zhang Boyang and > everyone else involved! > > There were also a few other changes: > > * In SB mode, refuse to load fonts from outside of the signed GRUB > image > * Restrictions to image dimensions > * Fix integer overflow in fbutil > > Locking down fonts here has caused some issues that I've seen. > > We didn't update the config generation code in util/grub.d, so we're > still generating grub.cfg files that will try (and fail!) to load > fonts from other locations at runtime in SB mode. This causes ugly > errors, and also causes GRUB to fail to set up video as normal. We can > fix this, but it would be nice to agree on something upstream rather > than as diverging distro patches. > > AFAIK Chris Coulson has a patch for the font loader to cause it to try > loading fonts from the embedded memdisk first. Is that the best > approach? If so, what fonts should we be embedding in the signed > image? It's a tradeoff between size and functionality, of course - > some people are happy with just "unicode" while others may want a > wider choice for added theming options. Is the size an issue for most > people? > > Or... Could/should we look at options to sign fonts separately? I've > heard suggestions to embed them into faked-up modules that we could > load with insmod, but of course we don't support signing modules yet > anyway... :-) I personally don't like that we *pretend* we do have signed modules - that is, we pretend that `insmod` works when it doesn't. (I am ambivalent on whether we should have signed standalone module support in general.) So while I appreciate Chris's patch and am shipping it, I don't think faking `loadfont` too is a good longer-term solution. I understood that these kinds of decisions have been made because it's easier than patching the config generation code. I know we're getting into "boil the ocean" territory, but maybe there's work that could be done to improve that situation? In general the feedback I've been getting on grub config is that it would be nice if we had less of it, for whatever that's worth. It's also odd that we've elected to lock down fonts in this way but not images. Perhaps this is a good opportunity to rethink how much customization we actually want to provide to distros and end users of our packages. Concretely, it seems that we expose customization for three use cases: 1. Distro branding. A Debian or RHEL or what have you wants to make their ISO perhaps say the distro name at the top and have a logo background or something. 2. Localization. It is reasonable for users to want prompts and text on the screen to appear in the language of their choice. 3. Making it look cool / use the font I want / etc. I think localization is resolved by bundling the unicode font, and it's a good idea to default to having that around. Distro branding seems to me a limited use case - we can just bundle whatever we need for that into our signed images, if we want. I'm less interested in any other customization: in RHEL and Fedora, we generally don't show a menu at all. I would not personally be upset if we just removed most of the customizability - but I'm also not the target audience. Thanks Steve for raising the issue on-list. I'm curious what other distro vendors here think too. Be well, --Robbie --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAmOGapMUHHJoYXJ3b29k QHJlZGhhdC5jb20ACgkQJTL5F2qVpEKHLg/9EzGeZuJh6c/xbSJRU/ninL7erk9c kkbdHAXdlFs5GB0fqLow4oRXLEBSTi5pV9Jc5nU8jzU1Xym/cfIC5gXxAYI6s8jU 1Hvo3J7bszLntUzmUDHqhQ98uYjes5UXnVt64Lez84AR5cympj1DqF40SusoC05n iZZhHy4S1QFA0RUF5L8skHBwrMqThyPBCHQEORkR8WdEeEjV7/p4JWBbv+XnBtJC LJppBONQRV7umWmWZBxRfk0MHMTkC6Hihi0AD0fxFqNqBzUU4rCNskNSB9Vmu5q6 qHc14orZYQIHUCYF/aKu9gXCO69VrewWr1XuDopATSX4PHhornhwSdKsGyy7xvdQ oFt73dOBEuErwJ1RL4dSkrXPAyT8/iQnohT0oEERPHSMBFXFzIdwnmwATu8cKLfk pQchfwKDX2waUmON0LJ3AEgBf/HLsbeOOG8C9K3mAY/4JUgKgdDf56GgfDI0+6qY 9n2lQTBPedkF7h+CM9PFZ+HJMq7FvoKn1L57iFa0dx0S2qWy3qMJWSiNx/8iKNBU 1/2L/F+eytrF64D1Hd3U7FwbLcgUmTsXqxqDYjElDBsvoxu52K4R+qAn+4idmJr7 B55YvUErW5bbfeWbwuM0kaQK8LURu5lbYpAu1EFOSjsRvLQqT39b+iNoMxO87WVj jxqteGCh6rlUN5A= =xOrn -----END PGP SIGNATURE----- --=-=-=--