From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VYfdj-0001po-V0 for mharc-grub-devel@gnu.org; Tue, 22 Oct 2013 13:21:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52031) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYfda-0001oc-8T for grub-devel@gnu.org; Tue, 22 Oct 2013 13:21:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VYfdR-0007gA-Jw for grub-devel@gnu.org; Tue, 22 Oct 2013 13:20:58 -0400 Received: from mail-ea0-x22a.google.com ([2a00:1450:4013:c01::22a]:63123) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYfdR-0007fx-CZ for grub-devel@gnu.org; Tue, 22 Oct 2013 13:20:49 -0400 Received: by mail-ea0-f170.google.com with SMTP id q10so3548480eaj.29 for ; Tue, 22 Oct 2013 10:20:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=PDJeZuNCLXG43GvzDyhNdvSr+MEZM4klZbgFQAck/Ng=; b=OUSaFXYjjwme4aFQvfNYmGGDwb4vAb1Er44z4AEagdQW3kaYQ8PAH/+pzCjjRCfDgw vnhyUr6/dRKvmVcPefZw/zms345SeD7EFGt3v6LSFWUUDOQ56+0PhLaihQCAq0WrcD1v +CFMSYjo/ai8ModHhg4D8sn/AggnuZ+wPzAkEe8KFap2S3pldLGvXdqsE44IrasZKywV 4HWKOvhrbL/1k/wLGOe0R2RfdhH7iit2sNaw8bfDN96gMvZ4zeyt8NYvjGTSuw3KnS61 eyHqTReMn4/cLwp2nDZCVNhWXiI8aRB8xTNReMBU2fG8Q0chC5wFdtjqQaEvF5Sc9iIU 6ghg== X-Received: by 10.14.101.6 with SMTP id a6mr1551924eeg.81.1382462448583; Tue, 22 Oct 2013 10:20:48 -0700 (PDT) Received: from [192.168.1.16] (31-249.1-85.cust.bluewin.ch. [85.1.249.31]) by mx.google.com with ESMTPSA id x47sm59146827eea.16.2013.10.22.10.20.47 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 22 Oct 2013 10:20:47 -0700 (PDT) Message-ID: <5266B3EE.4010901@gmail.com> Date: Tue, 22 Oct 2013 19:20:46 +0200 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131005 Icedove/17.0.9 MIME-Version: 1.0 To: Andrey Borzenkov Subject: Re: EFI and multiboot2 devlopment work for Xen References: <20131021125756.GA3626@debian70-amd64.local.net-space.pl> <526599A8.9090501@gmail.com> <20131022211227.367d3997@opensuse.site> In-Reply-To: <20131022211227.367d3997@opensuse.site> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="----enig2ICFGSGIHWVNTAFEKMKIX" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4013:c01::22a Cc: The development of GNU GRUB , keir@xen.org, ian.campbell@citrix.com, stefano.stabellini@eu.citrix.com, Daniel Kiper , linux-kernel@vger.kernel.org, xen-devel@lists.xen.org, jbeulich@suse.com, ross.philipson@citrix.com, boris.ostrovsky@oracle.com, richard.l.maliszewski@intel.com, david.woodhouse@intel.com X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 17:21:06 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2ICFGSGIHWVNTAFEKMKIX Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 22.10.2013 19:12, Andrey Borzenkov wrote: > =D0=92 Mon, 21 Oct 2013 23:16:24 +0200 > Vladimir '=CF=86-coder/phcoder' Serbinenko =D0=BF=D0= =B8=D1=88=D0=B5=D1=82: >=20 >> GRUB has generic support for signing kernels/modules/whatsoever using >> GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This= >> method doesn't have any controversy associated with EFI stuff but at >> this particular case does exactly the same thing: verify signature. >> multiboot2 is mainly memory structure specification so probably how th= e >> files are checked is outside of its scope. But it's possible to add >> specification on how to embed signatures in kernel. >> >=20 > I'm a bit skeptical here. Given that >=20 > - EFI secure boot will still be needed to handle Windows > - kernel can be launched directly as EFI application > - there are other bootloaders with secure boot support >=20 > distributions will likely need to carry on EFI secure boot support. At > which point it is not clear what advantages second, parallel, > infrastructure for the sake of single application will bring. >=20 Using PE signatures is possible as I already said which invalidates your points. > The most compelling reason would be allowing module loading (which is > currently disabled by secure boot patches). >=20 ------enig2ICFGSGIHWVNTAFEKMKIX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iF4EAREKAAYFAlJms+4ACgkQNak7dOguQglysQD+K5RyaK8KFIfMrPNjv/NC45Os DYTudeKSJFEAD0AT5BIA/07rsKtiCzQgvfdoMC4uw/pBURSTKp6KmZJTm295mNjI =HQdX -----END PGP SIGNATURE----- ------enig2ICFGSGIHWVNTAFEKMKIX--