[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type
On Thu, Mar 14, 2024 at 7:24 AM Jan Beulich <jbeulich@xxxxxxxx> wrote: > > On 13.03.2024 16:07, Ross Lagerwall wrote: > > In addition to the existing address and ELF load types, specify a new > > optional PE binary load type. This new type is a useful addition since > > PE binaries can be signed and verified (i.e. used with Secure Boot). > > And the consideration to have ELF signable (by whatever extension to > the ELF spec) went nowhere? > I'm not sure if you're referring to some ongoing work to create signable ELFs that I'm not aware of. I didn't choose that route because: * Signed PE binaries are the current standard for Secure Boot. * Having signed ELF binaries would mean that code to handle them needs to be added to Shim which contravenes its goals of being small and simple to verify. * I could be wrong on this but to my knowledge, the ELF format is not being actively updated nor is the standard owned/maintained by a specific group which makes updating it difficult. * Tools would need to be updated/developed to add support for signing ELF binaries and inspecting the signatures. I am open to suggestions of course but I'm not sure what benefits there would be to going the ELF route. Ross
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |