On Mon, Feb 20, 2023 at 09:07:28PM -0600, Glenn Washburn wrote: > On Mon, 20 Feb 2023 15:06:46 -0500 > Robbie Harwood <rharw...@redhat.com> wrote: > > Glenn Washburn <developm...@efficientek.com> writes: > > > > > If the configure option --enable-efi-debug is given, then enable the > > > printing early in EFI startup of the command needed to load symbols > > > for the GRUB EFI kernel. This is needed because EFI firmware > > > determines where to load the GRUB EFI at runtime, and so the > > > relevant addresses are not known ahead of time. > > > > Does this actually need to be configurable as opposed to always > > enabled where applicable? I would want to turn it on in distro > > builds, much like the similar patch we carry is. > > Daniel suggested to make it configurable, originally it wasn't. I could > see someone annoyed with the flash of text and rather have it disabled. > Personally, I don't care much. I don't think it makes sense to have the > gdbinfo module configurable, it should always be enabled (which it > isn't currently). > > Also, Daniel was concerned about this breaking silent boot. How does this > affect things for you? > > > > This is not printed when secure boot is enabled. > > > > This will mean that any debugging first requires disabling secureboot. > > That's potentially annoying and I'm not sure I see a security benefit > > to doing so. > > This was also requested by Daniel, and I have no preference. I confess > to not seeing a security benefit also. It also seems reasonable to > think that it might. Perhaps Daniel has something specific in mind.
I think leaking info about the GRUB image addresses on the Secure Boot enabled systems is not the best idea. Or do you think having this feature enabled by default overweight potential dangers coming from its misuse? Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
