From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1VYu45-0001IX-Uh for mharc-grub-devel@gnu.org; Wed, 23 Oct 2013 04:45:17 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43719) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYu3w-00017t-Eo for grub-devel@gnu.org; Wed, 23 Oct 2013 04:45:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VYu3n-0003V7-UC for grub-devel@gnu.org; Wed, 23 Oct 2013 04:45:08 -0400 Received: from mail-ee0-x22b.google.com ([2a00:1450:4013:c00::22b]:40376) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VYu3n-0003V1-Mh for grub-devel@gnu.org; Wed, 23 Oct 2013 04:44:59 -0400 Received: by mail-ee0-f43.google.com with SMTP id e52so269669eek.2 for ; Wed, 23 Oct 2013 01:44:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=BsQPyqHm8ngy1XtGJ/giiZR8SlWx8+2BH9WNPliY3sM=; b=sIk6niT+fFa1vhIjzRww17Tvtih6Zhgi8UwOhi6AdcoOB7Ny8Pu6/TWzSTtwpymv5g W4xNd0Zoli8BvGGQztcbIhcKdEEw2pmdVsrx3mkT7d/NBQE4uTSLEIDSwyL6vmZiZTN8 dWHO3Oc2K+znMZZh+e9hxV8LgVqcrhQiwZlBSwefzH+d6vsWxPznaN7IQrwt6tLg5QoG M++GcqoyHeBiCA3hPKinWpTRM7DcUgKf+3X5cbuUGZqrKf8+PzFn3p/26RsNrxUlNcKt 7vtLYMMMTfOojkLGNNP2uqEfQuTmlpKWTLsBq5novcmQpbPO/Y2oEjRfrRUcET/UQxUj zeIg== X-Received: by 10.14.216.136 with SMTP id g8mr457267eep.61.1382517898845; Wed, 23 Oct 2013 01:44:58 -0700 (PDT) Received: from [192.168.1.16] (31-249.1-85.cust.bluewin.ch. [85.1.249.31]) by mx.google.com with ESMTPSA id d7sm2870824eem.8.2013.10.23.01.44.57 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 23 Oct 2013 01:44:58 -0700 (PDT) Message-ID: <52678C88.3020504@gmail.com> Date: Wed, 23 Oct 2013 10:44:56 +0200 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131005 Icedove/17.0.9 MIME-Version: 1.0 To: Daniel Kiper Subject: Re: EFI and multiboot2 devlopment work for Xen References: <20131021125756.GA3626@debian70-amd64.local.net-space.pl> <526599A8.9090501@gmail.com> <20131023074334.GS3626@debian70-amd64.local.net-space.pl> In-Reply-To: <20131023074334.GS3626@debian70-amd64.local.net-space.pl> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="----enig2UOALIXUABTLUDUWARLFD" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:4013:c00::22b Cc: The development of GNU GRUB , keir@xen.org, david.woodhouse@intel.com, stefano.stabellini@eu.citrix.com, linux-kernel@vger.kernel.org, ross.philipson@citrix.com, jbeulich@suse.com, boris.ostrovsky@oracle.com, xen-devel@lists.xen.org, richard.l.maliszewski@intel.com, ian.campbell@citrix.com X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Oct 2013 08:45:17 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2UOALIXUABTLUDUWARLFD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 23.10.2013 09:43, Daniel Kiper wrote: > On Mon, Oct 21, 2013 at 11:16:24PM +0200, Vladimir '=CF=86-coder/phcode= r' Serbinenko wrote: >> Mail is big, I think I got your essential points but I didn't read it = whole. >> On 21.10.2013 14:57, Daniel Kiper wrote: >>> Hi, >>> >>> During work on multiboot2 protocol support for Xen it was discovered >>> that memory map passed via relevant tag could not represent wide rang= e >>> of memory types available on EFI platforms. Additionally, GRUB2 >>> implementation calls ExitBootServices() on them just before jumping >>> into loaded image. In this situation loaded system could not clearly >>> identify reserved memory regions, EFI runtime services regions and ot= hers. >>> >> Will a multiboot2 tag with whole EFI memory map solve your problem? >>> Additionally, it should be mentioned that there is no possibility or = it could >>> be very difficult to implement secure boot on EFI platforms using GRU= B2 as boot >>> loader because, as it was mentioned earlier, it calls ExitBootService= s(). >>> >> GRUB has generic support for signing kernels/modules/whatsoever using >> GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This= >> method doesn't have any controversy associated with EFI stuff but at >> this particular case does exactly the same thing: verify signature. >> multiboot2 is mainly memory structure specification so probably how th= e >> files are checked is outside of its scope. But it's possible to add >> specification on how to embed signatures in kernel. >=20 > I think that EFI signatures should be supported because they are quite > common right now. However, I think that it is also worth to support > GnuPG signatures. This way anybody will be able to choose good solution= > for a given case. >=20 Agreed. > Daniel >=20 ------enig2UOALIXUABTLUDUWARLFD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iF4EAREKAAYFAlJnjIgACgkQNak7dOguQgkqjAD+KXCOHoE/gTculbdG4pqsK3cf kf2FiGB2O3m9FR/7M9wA/0VOKSoi7JEVY8qoG1RPVsG5ZyhCzqmxorlL6iy5SEeC =PvIW -----END PGP SIGNATURE----- ------enig2UOALIXUABTLUDUWARLFD--