[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
Date: Thu, 14 Mar 2024 09:30:54 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Daniel Kiper <daniel.kiper@xxxxxxxxxx>, grub-devel@xxxxxxx
Delivery-date: Thu, 14 Mar 2024 09:31:18 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Mar 14, 2024 at 7:24 AM Jan Beulich <jbeulich@xxxxxxxx> wrote:
>
> On 13.03.2024 16:07, Ross Lagerwall wrote:
> > In addition to the existing address and ELF load types, specify a new
> > optional PE binary load type. This new type is a useful addition since
> > PE binaries can be signed and verified (i.e. used with Secure Boot).
>
> And the consideration to have ELF signable (by whatever extension to
> the ELF spec) went nowhere?
>

I'm not sure if you're referring to some ongoing work to create signable
ELFs that I'm not aware of.

I didn't choose that route because:

* Signed PE binaries are the current standard for Secure Boot.

* Having signed ELF binaries would mean that code to handle them needs
to be added to Shim which contravenes its goals of being small and
simple to verify.

* I could be wrong on this but to my knowledge, the ELF format is not
being actively updated nor is the standard owned/maintained by a
specific group which makes updating it difficult.

* Tools would need to be updated/developed to add support for signing
ELF binaries and inspecting the signatures.

I am open to suggestions of course but I'm not sure what benefits there
would be to going the ELF route.

Ross

Follow-Ups:
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type
  - From: Jan Beulich

References:
- [PATCH 0/7] GRUB: Supporting Secure Boot of xen.gz
  - From: Ross Lagerwall
- [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type
  - From: Ross Lagerwall
- Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type
  - From: Jan Beulich

Prev by Date: Re: [XEN PATCH] amd/iommu: add fixed size to function parameter of array type
Next by Date: Re: [PATCH v2 3/3] x86/PVH: Support relocatable dom0 kernels
Previous by thread: Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type
Next by thread: Re: [PATCH 1/7] multiboot2: Add load type header and support for the PE binary type
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.