grub-devel.gnu.org archive mirror
 help / color / mirror / Atom feed
From: "Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Cc: keir@xen.org, ian.campbell@citrix.com,
	Daniel Kiper <daniel.kiper@oracle.com>,
	stefano.stabellini@eu.citrix.com, linux-kernel@vger.kernel.org,
	ross.philipson@citrix.com, jbeulich@suse.com,
	boris.ostrovsky@oracle.com, xen-devel@lists.xen.org,
	richard.l.maliszewski@intel.com, david.woodhouse@intel.com
Subject: Re: EFI and multiboot2 devlopment work for Xen
Date: Mon, 21 Oct 2013 23:16:24 +0200	[thread overview]
Message-ID: <526599A8.9090501@gmail.com> (raw)
In-Reply-To: <20131021125756.GA3626@debian70-amd64.local.net-space.pl>

[-- Attachment #1: Type: text/plain, Size: 1362 bytes --]

Mail is big, I think I got your essential points but I didn't read it whole.
On 21.10.2013 14:57, Daniel Kiper wrote:
> Hi,
> 
> During work on multiboot2 protocol support for Xen it was discovered
> that memory map passed via relevant tag could not represent wide range
> of memory types available on EFI platforms. Additionally, GRUB2
> implementation calls ExitBootServices() on them just before jumping
> into loaded image. In this situation loaded system could not clearly
> identify reserved memory regions, EFI runtime services regions and others.
> 
Will a multiboot2 tag with whole EFI memory map solve your problem?
> Additionally, it should be mentioned that there is no possibility or it could
> be very difficult to implement secure boot on EFI platforms using GRUB2 as boot
> loader because, as it was mentioned earlier, it calls ExitBootServices().
> 
GRUB has generic support for signing kernels/modules/whatsoever using
GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This
method doesn't have any controversy associated with EFI stuff but at
this particular case does exactly the same thing: verify signature.
multiboot2 is mainly memory structure specification so probably how the
files are checked is outside of its scope. But it's possible to add
specification on how to embed signatures in kernel.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 291 bytes --]

  parent reply	other threads:[~2013-10-21 21:25 UTC|newest]

Thread overview: 79+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-21 12:57 EFI and multiboot2 devlopment work for Xen Daniel Kiper
2013-10-21 13:36 ` Jan Beulich
2013-10-21 14:23   ` Konrad Rzeszutek Wilk
2013-10-21 14:37     ` Jan Beulich
2013-10-21 18:46       ` Daniel Kiper
2013-10-22  7:16         ` Jan Beulich
2013-10-21 18:39   ` Daniel Kiper
2013-10-22  7:15     ` Jan Beulich
2013-10-21 13:54 ` Peter Jones
2013-10-21 18:57   ` Daniel Kiper
2013-10-22  9:26     ` Ian Campbell
2013-10-22  9:31       ` Jan Beulich
2013-10-22  9:45         ` Ian Campbell
2013-10-22  9:59           ` Jan Beulich
2013-10-22 13:42             ` Konrad Rzeszutek Wilk
2013-10-22 13:53               ` Ian Campbell
2013-10-22 14:09                 ` Konrad Rzeszutek Wilk
2013-10-22 14:24                   ` Ian Campbell
2013-10-22 14:51                     ` Konrad Rzeszutek Wilk
2013-10-22 14:59                       ` Jan Beulich
2013-10-22 15:35                       ` Peter Jones
2013-10-22 15:39                       ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-22 16:31                         ` Konrad Rzeszutek Wilk
2013-10-22 15:22                     ` [Xen-devel] " Ian Campbell
2013-10-22 16:26                       ` Konrad Rzeszutek Wilk
2013-10-23  8:32                         ` Ian Campbell
2013-10-23 13:13                           ` Konrad Rzeszutek Wilk
2013-10-23 14:07                             ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-23 17:13                               ` Andrey Borzenkov
2013-10-23 16:17                             ` Jan Beulich
2013-10-23 16:14                           ` Jan Beulich
2013-10-23 17:01                             ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-24  6:53                               ` Jan Beulich
2013-10-22 14:10                 ` Jan Beulich
2013-10-22 14:18                 ` Woodhouse, David
2013-10-22 14:57                   ` Konrad Rzeszutek Wilk
2013-10-22 15:21                     ` Ian Campbell
2013-10-22 16:24                       ` Konrad Rzeszutek Wilk
2013-10-22 16:27                         ` Ian Campbell
2013-10-22 15:23                   ` Ian Campbell
2013-10-22 14:43               ` Konrad Rzeszutek Wilk
2013-10-22 15:25                 ` Woodhouse, David
2013-10-22 15:32                   ` Matthew Garrett
2013-10-22 15:42                     ` Woodhouse, David
2013-10-22 16:01                       ` Daniel Kiper
2013-10-22 16:08                         ` Ian Campbell
2013-10-22 16:14                           ` Daniel Kiper
2013-10-22 16:25                             ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-22 16:31                               ` Ian Campbell
2013-10-22 16:38                             ` Konrad Rzeszutek Wilk
2013-10-22 16:24                         ` Vladimir 'φ-coder/phcoder' Serbinenko
     [not found]                           ` <CE8BF72A.243C%richard.l.maliszewski@intel.com>
2013-10-22 16:51                             ` Daniel Kiper
2013-10-22 17:09                               ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-22 17:21                               ` Maliszewski, Richard L
2013-10-23  7:53                                 ` Daniel Kiper
2013-10-22 16:35                   ` Konrad Rzeszutek Wilk
2013-10-23  6:49                     ` Michael Chang
2013-10-23  6:51                       ` Michael Chang
2013-10-23  6:56               ` Daniel Kiper
2013-10-21 20:53 ` Seth Goldberg
2013-10-21 21:27   ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-21 21:27     ` Seth Goldberg
2013-10-21 21:16 ` Vladimir 'φ-coder/phcoder' Serbinenko [this message]
2013-10-22  8:54   ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-23  7:05     ` Daniel Kiper
2013-10-23  8:28       ` Seth Goldberg
2013-10-23 10:43       ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-28 16:26     ` Konrad Rzeszutek Wilk
2013-10-28 18:01       ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-29  8:28         ` Jan Beulich
2013-10-30 11:19           ` Is: Wrap-up Was: " Daniel Kiper
2013-10-30 11:38             ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-11-04 20:41             ` Stefano Stabellini
2013-11-05 19:15               ` Leif Lindholm
2013-10-28 18:42       ` Seth Goldberg
2013-10-22 17:12   ` Andrey Borzenkov
2013-10-22 17:20     ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-23  7:43   ` Daniel Kiper
2013-10-23  8:44     ` Vladimir 'φ-coder/phcoder' Serbinenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=526599A8.9090501@gmail.com \
    --to=phcoder@gmail.com \
    --cc=boris.ostrovsky@oracle.com \
    --cc=daniel.kiper@oracle.com \
    --cc=david.woodhouse@intel.com \
    --cc=grub-devel@gnu.org \
    --cc=ian.campbell@citrix.com \
    --cc=jbeulich@suse.com \
    --cc=keir@xen.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=richard.l.maliszewski@intel.com \
    --cc=ross.philipson@citrix.com \
    --cc=stefano.stabellini@eu.citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).