From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VYekv-0002UB-Pl for mharc-grub-devel@gnu.org; Tue, 22 Oct 2013 12:24:29 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38989) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYekp-0002TC-2D for grub-devel@gnu.org; Tue, 22 Oct 2013 12:24:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VYekj-0005mv-NP for grub-devel@gnu.org; Tue, 22 Oct 2013 12:24:23 -0400 Received: from mail-ea0-x22b.google.com ([2a00:1450:4013:c01::22b]:42683) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYekj-0005m8-9Q for grub-devel@gnu.org; Tue, 22 Oct 2013 12:24:17 -0400 Received: by mail-ea0-f171.google.com with SMTP id n15so4317543ead.2 for ; Tue, 22 Oct 2013 09:24:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=5S+9C6ViV9tNFGNi09+jOr9XB5FCgJQb809QI6dL+IA=; b=TXeOyQ1g+7Ndu3Z5DeiOvAzcjZJadf5bROvhHaf/mqp4dboNQ+bzxS1hmzQnxVZUv2 qpjf4vYz/OfriTAqPJeXk2kkRVrNjcWtIi/OLNkZHamaZUxQGVqxUJFP9UJOoD6g6uiP TcWK1exOvpRKPfREXa1Kwe5EnSU/gQp8Ejj8qDtdS3NTcNguEVYJerYhuU1lQdTdTFRg fJ4F1R82EQAoDP4JIPGxpLokxWjzvvZbKJD1/nebLs3GaubNhPsGAMo7uwkey+8ZgGGJ oUPKPAHAOC3Pugh6hXiSxrygyHcgUEtfWs8Fe5G2E1xhBN/hHs0C8OXr75vob1eO37e9 WhRQ== X-Received: by 10.15.54.199 with SMTP id t47mr15879862eew.46.1382459056378; Tue, 22 Oct 2013 09:24:16 -0700 (PDT) Received: from [192.168.1.16] (31-249.1-85.cust.bluewin.ch. [85.1.249.31]) by mx.google.com with ESMTPSA id k7sm58593687eeg.13.2013.10.22.09.24.15 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 22 Oct 2013 09:24:15 -0700 (PDT) Message-ID: <5266A6AD.90004@gmail.com> Date: Tue, 22 Oct 2013 18:24:13 +0200 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131005 Icedove/17.0.9 MIME-Version: 1.0 To: The development of GNU GRUB Subject: Re: EFI and multiboot2 devlopment work for Xen References: <20131021185758.GD3626@debian70-amd64.local.net-space.pl> <1382433990.1657.66.camel@hastur.hellion.org.uk> <5266620602000078000FCA48@nat28.tlf.novell.com> <1382435127.1657.70.camel@hastur.hellion.org.uk> <526668A502000078000FCA7B@nat28.tlf.novell.com> <20131022134252.GA27302@phenom.dumpdata.com> <20131022144309.GA18547@phenom.dumpdata.com> <1382455537.8512.11.camel@shinybook.infradead.org> <20131022153258.GA12260@srcf.ucam.org> <1382456560.8512.24.camel@shinybook.infradead.org> <20131022160146.GH3626@debian70-amd64.local.net-space.pl> In-Reply-To: <20131022160146.GH3626@debian70-amd64.local.net-space.pl> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="----enig2VDXAXADCXHQMXLBGHNUR" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4013:c01::22b Cc: Matthew Garrett , "keir@xen.org" , "Woodhouse, David" , "stefano.stabellini@eu.citrix.com" , Daniel Kiper , "linux-kernel@vger.kernel.org" , "xen-devel@lists.xen.org" , Jan Beulich , "ross.philipson@citrix.com" , "Maliszewski, Richard L" , "boris.ostrovsky@oracle.com" , Ian Campbell X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 16:24:28 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2VDXAXADCXHQMXLBGHNUR Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 22.10.2013 18:01, Daniel Kiper wrote: > On Tue, Oct 22, 2013 at 03:42:42PM +0000, Woodhouse, David wrote: >> On Tue, 2013-10-22 at 16:32 +0100, Matthew Garrett wrote: >>> >>> There are two problems with this: >>> >>> 1) The kernel will only boot if it's signed with a key in db, not a k= ey >>> in MOK. >>> 2) grub will read the kernel, but the kernel will have to read the >>> initramfs using EFI calls. That means your initramfs must be on a FAT= >>> partition. >>> >>> If you're happy with those limitations then just use the chainloader >>> command. If you're not, use the linuxefi command. >> >> Well, we're talking about booting the Xen hypervisor aren't we? >> >> So yes, there are reasons the Linux kernel uses the 'boot stub' the wa= y >> it does, but I'm not sure we advocate that Xen should emulate that in >> all its 'glory'? >=20 > Right, I think that sensible mixture of multiboot2 protocol (it is need= ed > to pass at least modules list to Xen; IIRC, linuxefi uses Linux Boot pr= otocol > for it) with extension proposed by Vladimir and something similar to li= nuxefi > command will solve our problem (I proposed it in my first email). Users= which > do not need SB may use upstream GRUB2 and others could use > 'multiboot2efi extension'. I think it's possible to handle secureboot with same multiboot2 base. Correct me if I'm wrong but secureboot doesn't specify format of signaatures, only that they should be present and checked. So why not to make that the only difference between secureboot-enabled and not-secureboot-enabled versions is that former enforces signatures even against user will. This will reduce the policy-charger patch to about 100 lines. The signature format to use can be discussed as well. My main problem with pe signatures as used for EFI is their apparent complexity but I haven't looked in them yet. >=20 > Daniel >=20 > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >=20 ------enig2VDXAXADCXHQMXLBGHNUR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iF4EAREKAAYFAlJmpq0ACgkQNak7dOguQgmjPQD/QvpFbxryySxWsDEYSz/PwDn1 Yq2TrGoBR6eqYv5yhdcA/0s2xKLqemGCioesN4i3X/JgQq1zVIsBvC5pGnZHTEZR =8ug+ -----END PGP SIGNATURE----- ------enig2VDXAXADCXHQMXLBGHNUR--