[edk2-devel] [GSoC proposal] Secure Image Loader
Michael Brown
mcb30 at ipxe.org
Thu Apr 8 09:55:31 UTC 2021
On 08/04/2021 10:41, Marvin Häuser wrote:
> No,
> backwards-compatibility will not be broken in the sense that the old API
> is absent or malfunctioning.
Perfect. :)
> As I *have* said, I imagine there to be an
> option (default true) to expose both variants.
Very much less perfect. The mere existence of such an option
immediately reimposes the burden on external code to support both,
because it opens up the possibility of running on systems where the
option is set to false.
> With default settings, I
> want the loader to be at the very least mostly plug-'n'-play with
> existing platform drivers and OS loaders from the real world. "Mostly"
> can be clarified further once we have a detailed plan on the changes
> (and responses to e.g. malformed binary issues with iPXE and GNU-EFI).
Yes; thank you for https://github.com/ipxe/ipxe/pull/313. It will take
some time to review.
As a practical consideration: unless there is a security reason to do
otherwise, you should almost certainly relax the constraints on images
that your loader will accept, to avoid causing unnecessary end-user
disruption. What is the *security* reason behind your alignment
requirements (which clearly are not required by any other toolchain,
including those used for signing Secure Boot binaries)?
Thanks,
Michael
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#73838): https://edk2.groups.io/g/devel/message/73838
Mute This Topic: https://groups.io/mt/81853302/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list