From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VYMyv-00019X-PZ for mharc-grub-devel@gnu.org; Mon, 21 Oct 2013 17:25:45 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48950) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYMq3-0007zw-Lz for grub-devel@gnu.org; Mon, 21 Oct 2013 17:16:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VYMpv-000370-2k for grub-devel@gnu.org; Mon, 21 Oct 2013 17:16:35 -0400 Received: from mail-ee0-x234.google.com ([2a00:1450:4013:c00::234]:53762) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYMpu-00036t-Qu for grub-devel@gnu.org; Mon, 21 Oct 2013 17:16:26 -0400 Received: by mail-ee0-f52.google.com with SMTP id d51so1691240eek.39 for ; Mon, 21 Oct 2013 14:16:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=N93E2SFenpBs8JhlfK+LsQ9Yvvu5BdUjT0CHZ7R8JMQ=; b=bmXi1RYHzp4L+jslKR7MBo5mQ8gpfv1Blk3mohszfVWNVB8UCHVkACYvBBhoJ/oLdu 0H1BTo2u1IIcQm1Ec0DxQs5Q9f5k+wRxg+50DnD5/gXuNJT3J0h/UTZ3jVpKH/Lifa74 MeyLUZh9Y7VdESU8ZR9AwbvrhB3aDEwVBZjYxfkh6qT4CM78wT+GdHiBeqMPL8efMRan Pzp2jv2ni9yytjl7nuRZkZ/TNiz3EjsvUnrtA0/gu+QAhkEByUXElAMbPAGPSAoSJ1tJ X6nHmizKJ/RKLwCWHVZFtSszReFIzx7MDhO0rjjZqXszf8wIn1UOR02L1Mj2Isf/cIn5 T2dg== X-Received: by 10.14.2.2 with SMTP id 2mr817030eee.92.1382390186101; Mon, 21 Oct 2013 14:16:26 -0700 (PDT) Received: from [192.168.1.16] (31-249.1-85.cust.bluewin.ch. [85.1.249.31]) by mx.google.com with ESMTPSA id m54sm48332918eex.2.2013.10.21.14.16.24 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 21 Oct 2013 14:16:25 -0700 (PDT) Message-ID: <526599A8.9090501@gmail.com> Date: Mon, 21 Oct 2013 23:16:24 +0200 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131005 Icedove/17.0.9 MIME-Version: 1.0 To: The development of GNU GRUB Subject: Re: EFI and multiboot2 devlopment work for Xen References: <20131021125756.GA3626@debian70-amd64.local.net-space.pl> In-Reply-To: <20131021125756.GA3626@debian70-amd64.local.net-space.pl> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="----enig2TUVERMCVQOSRRMSJPDAL" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4013:c00::234 X-Mailman-Approved-At: Mon, 21 Oct 2013 17:25:41 -0400 Cc: keir@xen.org, ian.campbell@citrix.com, Daniel Kiper , stefano.stabellini@eu.citrix.com, linux-kernel@vger.kernel.org, ross.philipson@citrix.com, jbeulich@suse.com, boris.ostrovsky@oracle.com, xen-devel@lists.xen.org, richard.l.maliszewski@intel.com, david.woodhouse@intel.com X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Oct 2013 21:16:44 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2TUVERMCVQOSRRMSJPDAL Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Mail is big, I think I got your essential points but I didn't read it who= le. On 21.10.2013 14:57, Daniel Kiper wrote: > Hi, >=20 > During work on multiboot2 protocol support for Xen it was discovered > that memory map passed via relevant tag could not represent wide range > of memory types available on EFI platforms. Additionally, GRUB2 > implementation calls ExitBootServices() on them just before jumping > into loaded image. In this situation loaded system could not clearly > identify reserved memory regions, EFI runtime services regions and othe= rs. >=20 Will a multiboot2 tag with whole EFI memory map solve your problem? > Additionally, it should be mentioned that there is no possibility or it= could > be very difficult to implement secure boot on EFI platforms using GRUB2= as boot > loader because, as it was mentioned earlier, it calls ExitBootServices(= ). >=20 GRUB has generic support for signing kernels/modules/whatsoever using GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This method doesn't have any controversy associated with EFI stuff but at this particular case does exactly the same thing: verify signature. multiboot2 is mainly memory structure specification so probably how the files are checked is outside of its scope. But it's possible to add specification on how to embed signatures in kernel. ------enig2TUVERMCVQOSRRMSJPDAL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iF4EAREKAAYFAlJlmagACgkQNak7dOguQgnuFQEAgHdQsQF5mxk2SeZ1oAxhoIfH iR3GubT/Yr3itSw3zEcBAJTNALqQcgRb4Y6oEFex8N+nex7sfa4bkBuMJeVdhtwO =GXi1 -----END PGP SIGNATURE----- ------enig2TUVERMCVQOSRRMSJPDAL--