Hi, This patchset introduces a utility: grub-wrap. It can wrap a non-PE file as a PE file, which can be subsequently digitally signed (and verified by shim). The wrapped file will be unwrapped at runtime automatically and transparently by the unwrap filter.
With grub-wrap, a PF2 font file can be wrapped and digitally signed. The name of PE section must be .GRUBpf2, to clearly identifies such PE file is a wrapper of a PF2 font file. Example usage: # generate a MOK key for signing pesign --certficate 'MyKey' --export-cert MyKey.crt # import the new MOK key mokutil --import MyKey.crt reboot # wrap unicode.pf2 as unicode.pf2.dll grub-wrap --input unicode.pf2 --output unicode.pf2.dll --name .GRUBpf2 -O x86_64-efi # sign the wrapper with MOK key pesign --in unicode.pf2.dll --out /boot/grub/fonts/unicode.pf2 --force --certficate 'MyKey' --sign There is one problem: those wrappers mustn't be accepted by other PE loaders. To distinguish these wrappers from normal EFI applications, I decided to make these wrappers looks like plain Windows resource-only DLLs (no entry point, and subsystem tag is set to Windows GUI instead of EFI Application). Currently, shim, tianocore, and my patched GRUB will reject these wrappers while trying to use them as executables. However, I'm not sure whether in-market UEFI firmwares will reject them. So I think the best workaround is to forbid keys available in firmware from signing these wrappers, and only use keys in shim to sign wrappers (this seems like exactly what we are doing for GRUB itself). Best Regards, Zhang Boyang _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
