On Fri, 7 Feb 2020 at 16:20, James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > > On Fri, 2020-02-07 at 12:23 +0000, Ard Biesheuvel wrote: > > On Fri, 7 Feb 2020 at 09:22, Laszlo Ersek <lersek@xxxxxxxxxx> wrote: > > > > > > On 02/07/20 10:09, Laszlo Ersek wrote: > [...] > > > > For example, virt-install's "--location" option "can recognize > > > > certain distribution trees and fetches a bootable kernel/initrd > > > > pair to launch the install". It would be nice to keep that > > > > working for older distros. > > > > > > > > I think LoadFile[2] can co-exist with SimpleFs. > > > > > > > > I also think that the "try SimpleFs first, fall back to > > > > LoadFile[2] second" requirement applies only to the UEFI boot > > > > manager, and not to the kernel's EFI stub. IOW in the new > > > > approach the kernel is free to ignore (abandon) the old approach > > > > for good. > > > > > > ... But that might not be good for compatibility with grub and/or > > > the platform firmware, from the kernel's own perspective, > > > perhaps?... > > > > > > Who is supposed to produce LoadFile2 with the new VenMedia devpath? > > > > > > > What I am ultimately after is a generic GRUB that uses > > LoadImage+Startimage for starting the kernel on all architectures, > > For most boots, we need to pivot to the MoK. A long time ago, I > proposed updating the platform security policy to do an override to > allow MoK to become the security verifier (actually principally so I > could get the gummiboot bootloader to work with the MoK method): > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/security_policy.c > > And I believe all the pivot bootloaders now do this, but the fear was > always this looks a bit like hackery that might not work in some UEFI > implementations. Since we don't really rely on it (shim link loads > after signature verification) we don't know whether the assumption does > break or not. We'll need to get much more comfortable with the > security override before we can let grub do a simple load+start. > I'd like to do something much simpler: let shim override LoadImage and StartImage, and in their implementations, fall back to the firmware ones if necessary. > > and is able to load the initrd from anywhere in an arch agnostic > > manner. > > I think the use case might not really be grub, it's gummiboot, or > systemd-boot as its now called: > No it is definitely GRUB. GRUB today needs to attach to the shim protocol, perform the authentication, measure the payload etc etc, which means it knows far too much about the internals of shim or the fact that it even exists. My ideal bootflow would be where the OS installer looks at the firmware's db/dbx, doesn't bother to install shim if the OS vendor's cert is there, and uses the exact same GRUB regardless of whether shim is part of the bootflow or not. One of the things impeding this is the fact that we cannot load the initrd from anywhere when using loadimage+startimage. > https://wiki.archlinux.org/index.php/systemd-boot > > The standard way of using grub and EFI is to put grub on the EFI > parition but have the kernel and the initrd on the root parition (which > won't be EFI readable). This means we can keep the EFI partition small > and only needing modification when grub is updated, meaning it doesn't > even need mounting at all usually. > > Don't get me wrong, I like the gummiboot way of doing the > LoadImage+StartImage: it's small and clean and doesn't need the shim > protocol, but people like the sophistication grub provides including > its ability to read kernel filesystems, so they're unlikely to change > that. >
