On Fri, 21 Mar 2025 at 09:05, Alexander Graf <graf@xxxxxxxxxx> wrote: > > > On 21.03.25 01:26, Luca Boccassi wrote: > > On Thu, 20 Mar 2025 at 22:43, Alexander Graf <graf@xxxxxxxxxx> wrote: > >> Let's first figure out how all of this works without shim. Then we can > >> look at whether we need to and how we can extend the shim/sd-boot > >> interface to make that case work as well. Please don't start off > >> assuming everyone runs shim in secure boot environments. > > But that's a bit off topic, though - the issue Mate brought up with > > this thread is specifically with shim/16 + sd-boot + sd-stub, which is > > a bit time pressing as both Plucky and Trixie are about to go out with > > this combination that used to work, but doesn't anymore. > > Without shim there's no new issue, everything works as it always did. > > > If you read through Heinrich's reply once more, you can clearly see that > it does not. We have 2 broken cases: new shim (change of contract) and > U-Boot (dependency on PI internals). > > You could - as Ard suggested - introduce a new "prevalidated image load" > protocol in shim to solve the shim case. But that will continue to leave > U-Boot broken. To solve U-Boot, you would basically need to implement > the same "prevalidated image load" in sd-boot. And once you have that, > why would you duplicate it in shim? > So the fundamental problem is that LoadImage() is being used with unsigned images, right? As I have proposed in the past, what we really need in UEFI is the notion of ephemeral certs/hashes that are loaded from authenticated images and can be used to authenticate subsequent ones. That would reduce shim to a UEFI app with an embedded cert that simply loads the next stage, and it would permit sd-stub to include SHA hashes of the embedded images in a cert table that would automatically be picked up by the loader (i.e., no need for signing the embedded images, taking the SHA digest would be sufficient) I am well aware that this is entirely irrelevant in Trixie timeframe, but perhaps the irritation level all around has been raised sufficiently now for us sit down together and finally fix this shim crap for good?
Re: shim 16 breaking systemd stub and next steps
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: shim 16 breaking systemd stub and next steps
- From: Ard Biesheuvel <ardb@xxxxxxxxxx>
- Date: Fri, 21 Mar 2025 09:12:48 +0100
- Cc: Luca Boccassi <luca.boccassi@xxxxxxxxx>, systemd-devel@xxxxxxxxxxxxxxxxxxxxx, Mate Kukri <mate.kukri@xxxxxxxxxxxxx>, Ilias Apalodimas <ilias.apalodimas@xxxxxxxxxx>, Heinrich Schuchardt <xypron.glpk@xxxxxx>
- In-reply-to: <cbc55556-88be-4c33-9da3-3fc17baf57ce@amazon.com>
- References: <CAAfJHtqY0vCy9ORH4fsW_b1H7Z2vtw0Wh9KXO61LtSxJ8td7PA@mail.gmail.com> <CAMw=ZnRpWRhrwuzhNM5qgqALaHr1PqebZL_7_FvmPCZpj29Ngw@mail.gmail.com> <02842bd0-cfb3-4fd0-902b-63ddc27cdf76@amazon.com> <CAMw=ZnQNSX-aGvrnv7HGna9WRdJg5xdmEcpyOU99=C1VFev46w@mail.gmail.com> <2d7ccc4e-5ecd-4061-ae4b-52a9905d23ac@amazon.com> <CAMw=ZnSXzsoxGvAr6uWoXHgZvXBFa3NA0iUH1=u8A44SkwfK5A@mail.gmail.com> <cbc55556-88be-4c33-9da3-3fc17baf57ce@amazon.com>
- Follow-Ups:
- Re: shim 16 breaking systemd stub and next steps
- From: Alexander Graf
- Re: shim 16 breaking systemd stub and next steps
- References:
- shim 16 breaking systemd stub and next steps
- From: Mate Kukri
- Re: shim 16 breaking systemd stub and next steps
- From: Luca Boccassi
- Re: shim 16 breaking systemd stub and next steps
- From: Alexander Graf
- Re: shim 16 breaking systemd stub and next steps
- From: Luca Boccassi
- Re: shim 16 breaking systemd stub and next steps
- From: Alexander Graf
- Re: shim 16 breaking systemd stub and next steps
- From: Luca Boccassi
- Re: shim 16 breaking systemd stub and next steps
- From: Alexander Graf
- shim 16 breaking systemd stub and next steps
- Prev by Date: Re: shim 16 breaking systemd stub and next steps
- Next by Date: Re: shim 16 breaking systemd stub and next steps
- Previous by thread: Re: shim 16 breaking systemd stub and next steps
- Next by thread: Re: shim 16 breaking systemd stub and next steps
- Index(es):
 |