[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Discuss support for the linux kernel's EFI Handover Protocol on x86 and

From: Michael Chang
Subject: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM
Date: Thu, 10 Jan 2019 16:12:08 +0800
User-agent: Mutt/1.10.1 (2018-07-13)


With the advent of new verifier framework and shim lock protocol support
to the grub's community, we are driving to the world of UEFI Secure
Boot, well, almost ..

There is a missing piece in the puzzle remaining, that is booting linux
kernel via it's own EFI Handover Protocol's entry. Strictly speaking,
the interface is not part of the UEFI Secure Boot, but we have to use it
to avoid problem of using UEFI LoadImage Protocol, which will not work
with shim and it's Machine Owner Key (MOK) as they are not part of
firmware's KEK and db.

In other words, with the current state of implementation, ARM is still
not able to support Secure Boot and will end up with security violation
as long as LoadImage is performed to boot the kernel as firmware's blob.
The shim-lock support turns out to be useless, unless we could change it
to use some sort of kernel's own interface, like UEFI handover, is a
good candidate for me (sorry I'm aware of any other choice for ARM).

The x86 might be working with shim, since 32-bit entry is used. But IIUC
linux kernel recommends efi handover entry than 32-bit for efi booting
since it is less tied to bootloader and thus makes booting problem more
easy and obvious to fix by the kernel itself. For that reason the
support will be needed in the long run regardless secure boot since it
provides better prospect than 32-bit entry.

I think it is about time to discuss and figure out a common way to bring
UEFI handover support to the x86 and ARM architectures both having UEFI
running. Many downstream distributions have already been carrying
diverged linuxefi patch for a long time and I think our ARM friends may
not want to repeat the same story. :)

Any idea and suggestion for the topic is welcome.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]