Yes yes yes yes. Signed dtb in grub at last. On Wed, 7 Dec 2022, 03:16 Michael Chang via Grub-devel, <grub-devel@gnu.org> wrote:
> On Tue, Dec 06, 2022 at 11:09:57AM -0500, Robbie Harwood wrote: > > Zhang Boyang <zhangboyang...@gmail.com> writes: > > > > > Since font files can be wrapped as PE images by grub-wrap, use shim to > > > verify font files if Secure Boot is enabled. To prevent other PE files > > > (e.g. kernel images) used as wrappers, it only allows files marked as > > > Windows GUI used as wrappers. > > > > Thanks for writing this; it's helpful to have something concrete to look > > at. > > > > This approach is very font-focused, and while I understand that given > > the discussion, I do still wonder if it wouldn't be better to make fonts > > an instance of modules. If fonts become instances of modules, and > > modules are wrapped into PE files, that not only seems cleaner but also > > gives us signed module support without baking those into the image. > > Why not just making the PE wrap applicable to all file types, be it font > files, grub modules or even (static) initrd. Providing a solution to > sign arbitrary data or binary with this PE envelope sounds to me a very > attractive feature and worthwhile the extra miles. :) > > Thanks, > Michael > > > > > What do you think? > > > > Be well, > > --Robbie > > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
