From: "Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>
To: Daniel Kiper <daniel.kiper@oracle.com>
Cc: The development of GNU GRUB <grub-devel@gnu.org>,
keir@xen.org, david.woodhouse@intel.com,
stefano.stabellini@eu.citrix.com, linux-kernel@vger.kernel.org,
ross.philipson@citrix.com, jbeulich@suse.com,
boris.ostrovsky@oracle.com, xen-devel@lists.xen.org,
richard.l.maliszewski@intel.com, ian.campbell@citrix.com
Subject: Re: EFI and multiboot2 devlopment work for Xen
Date: Wed, 23 Oct 2013 10:44:56 +0200 [thread overview]
Message-ID: <52678C88.3020504@gmail.com> (raw)
In-Reply-To: <20131023074334.GS3626@debian70-amd64.local.net-space.pl>
[-- Attachment #1: Type: text/plain, Size: 1824 bytes --]
On 23.10.2013 09:43, Daniel Kiper wrote:
> On Mon, Oct 21, 2013 at 11:16:24PM +0200, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>> Mail is big, I think I got your essential points but I didn't read it whole.
>> On 21.10.2013 14:57, Daniel Kiper wrote:
>>> Hi,
>>>
>>> During work on multiboot2 protocol support for Xen it was discovered
>>> that memory map passed via relevant tag could not represent wide range
>>> of memory types available on EFI platforms. Additionally, GRUB2
>>> implementation calls ExitBootServices() on them just before jumping
>>> into loaded image. In this situation loaded system could not clearly
>>> identify reserved memory regions, EFI runtime services regions and others.
>>>
>> Will a multiboot2 tag with whole EFI memory map solve your problem?
>>> Additionally, it should be mentioned that there is no possibility or it could
>>> be very difficult to implement secure boot on EFI platforms using GRUB2 as boot
>>> loader because, as it was mentioned earlier, it calls ExitBootServices().
>>>
>> GRUB has generic support for signing kernels/modules/whatsoever using
>> GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This
>> method doesn't have any controversy associated with EFI stuff but at
>> this particular case does exactly the same thing: verify signature.
>> multiboot2 is mainly memory structure specification so probably how the
>> files are checked is outside of its scope. But it's possible to add
>> specification on how to embed signatures in kernel.
>
> I think that EFI signatures should be supported because they are quite
> common right now. However, I think that it is also worth to support
> GnuPG signatures. This way anybody will be able to choose good solution
> for a given case.
>
Agreed.
> Daniel
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 291 bytes --]
prev parent reply other threads:[~2013-10-23 8:45 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-21 12:57 EFI and multiboot2 devlopment work for Xen Daniel Kiper
2013-10-21 13:36 ` Jan Beulich
2013-10-21 14:23 ` Konrad Rzeszutek Wilk
2013-10-21 14:37 ` Jan Beulich
2013-10-21 18:46 ` Daniel Kiper
2013-10-22 7:16 ` Jan Beulich
2013-10-21 18:39 ` Daniel Kiper
2013-10-22 7:15 ` Jan Beulich
2013-10-21 13:54 ` Peter Jones
2013-10-21 18:57 ` Daniel Kiper
2013-10-22 9:26 ` Ian Campbell
2013-10-22 9:31 ` Jan Beulich
2013-10-22 9:45 ` Ian Campbell
2013-10-22 9:59 ` Jan Beulich
2013-10-22 13:42 ` Konrad Rzeszutek Wilk
2013-10-22 13:53 ` Ian Campbell
2013-10-22 14:09 ` Konrad Rzeszutek Wilk
2013-10-22 14:24 ` Ian Campbell
2013-10-22 14:51 ` Konrad Rzeszutek Wilk
2013-10-22 14:59 ` Jan Beulich
2013-10-22 15:35 ` Peter Jones
2013-10-22 15:39 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-22 16:31 ` Konrad Rzeszutek Wilk
2013-10-22 15:22 ` [Xen-devel] " Ian Campbell
2013-10-22 16:26 ` Konrad Rzeszutek Wilk
2013-10-23 8:32 ` Ian Campbell
2013-10-23 13:13 ` Konrad Rzeszutek Wilk
2013-10-23 14:07 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-23 17:13 ` Andrey Borzenkov
2013-10-23 16:17 ` Jan Beulich
2013-10-23 16:14 ` Jan Beulich
2013-10-23 17:01 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-24 6:53 ` Jan Beulich
2013-10-22 14:10 ` Jan Beulich
2013-10-22 14:18 ` Woodhouse, David
2013-10-22 14:57 ` Konrad Rzeszutek Wilk
2013-10-22 15:21 ` Ian Campbell
2013-10-22 16:24 ` Konrad Rzeszutek Wilk
2013-10-22 16:27 ` Ian Campbell
2013-10-22 15:23 ` Ian Campbell
2013-10-22 14:43 ` Konrad Rzeszutek Wilk
2013-10-22 15:25 ` Woodhouse, David
2013-10-22 15:32 ` Matthew Garrett
2013-10-22 15:42 ` Woodhouse, David
2013-10-22 16:01 ` Daniel Kiper
2013-10-22 16:08 ` Ian Campbell
2013-10-22 16:14 ` Daniel Kiper
2013-10-22 16:25 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-22 16:31 ` Ian Campbell
2013-10-22 16:38 ` Konrad Rzeszutek Wilk
2013-10-22 16:24 ` Vladimir 'φ-coder/phcoder' Serbinenko
[not found] ` <CE8BF72A.243C%richard.l.maliszewski@intel.com>
2013-10-22 16:51 ` Daniel Kiper
2013-10-22 17:09 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-22 17:21 ` Maliszewski, Richard L
2013-10-23 7:53 ` Daniel Kiper
2013-10-22 16:35 ` Konrad Rzeszutek Wilk
2013-10-23 6:49 ` Michael Chang
2013-10-23 6:51 ` Michael Chang
2013-10-23 6:56 ` Daniel Kiper
2013-10-21 20:53 ` Seth Goldberg
2013-10-21 21:27 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-21 21:27 ` Seth Goldberg
2013-10-21 21:16 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-22 8:54 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-23 7:05 ` Daniel Kiper
2013-10-23 8:28 ` Seth Goldberg
2013-10-23 10:43 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-28 16:26 ` Konrad Rzeszutek Wilk
2013-10-28 18:01 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-29 8:28 ` Jan Beulich
2013-10-30 11:19 ` Is: Wrap-up Was: " Daniel Kiper
2013-10-30 11:38 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-11-04 20:41 ` Stefano Stabellini
2013-11-05 19:15 ` Leif Lindholm
2013-10-28 18:42 ` Seth Goldberg
2013-10-22 17:12 ` Andrey Borzenkov
2013-10-22 17:20 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-10-23 7:43 ` Daniel Kiper
2013-10-23 8:44 ` Vladimir 'φ-coder/phcoder' Serbinenko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52678C88.3020504@gmail.com \
--to=phcoder@gmail.com \
--cc=boris.ostrovsky@oracle.com \
--cc=daniel.kiper@oracle.com \
--cc=david.woodhouse@intel.com \
--cc=grub-devel@gnu.org \
--cc=ian.campbell@citrix.com \
--cc=jbeulich@suse.com \
--cc=keir@xen.org \
--cc=linux-kernel@vger.kernel.org \
--cc=richard.l.maliszewski@intel.com \
--cc=ross.philipson@citrix.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).