V Thu, Jul 28, 2022 at 06:31:55AM -0700, Neal Gompa napsal(a): > On Wed, Jul 27, 2022 at 2:05 PM Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > > > > On Mi, 27.07.22 16:50, Chris Murphy (lists@xxxxxxxxxxxxxxxxx) wrote: > > > > > > I prefer no shim in my computers. I'm using systemd-boot signed by my > > > > own CA. > > > > > > That is not a generic solution we can ship in Fedora. Since each > > > distro ships their own shim, they'd each have to ship their own > > > signed fsfs in order to read the shared a non-FAT $BOOT. It's too > > > high a barrier to adoption. > > > > Something we could add relatively easily to sd-boot is that it could > > look for drivers to load in one of its own PE sections (let's say a > > new section ".drivers"). > > > > Then Fedora could do something like this: > > > > 1. build ext4 efifs as UEFI PE binary (→ ext2_x64.efi) > > 2. build systemd-boot as UEFI PE binary (→ systemd-bootx64.efi) > > 3. use "objcopy --add-section .drivers=ext2_x64.efi > > systemd-bootx64.efi systemd-bootx64.withext4.efi" to embedd the ext4 > > driver inside systemd-boot > > 4. sign the resulting systemd-bootx64.withext4.efi via shim/… > > 5. profitt! now you have an sd-boot binary that can do ext4. yay. > > 6. ask relevant other distros to do the same. They are probably in a > > very similar situation as fedora is, given they typically all use > > Grub right now. > > > > This sounds pretty awesome, actually. I'd like to see that get implemented... > Unfortunatelly (complex) file system drivers are not written with safety on mind. They rather prefer performance over security. If somebody signed a UEFI driver for ext4, there would be a storm of CVEs "Secure boot bypass with a contrived file system". -- Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
