Hi, after some thinking about device trees and secure boot today, I pondered if we should just allow wrapping a filesystem image in a signed PE binary into a "grubext" section perhaps. Use cases can be:
- signed fonts packages - signed themes packages - signed device trees This probably needs some reworking of the verifiers such that if we load files from the image in the signed PE, they inherit the verification. The caveat is that this works for architectures with secure uefi boot, but for example, the secure boot on POWER has a different scheme for signing. A GPG-based solution which grub already has kind of works for everyone, but it involves gpg and exists outside the normal boot trust chain which seems suboptimal to me - tying the data we load directly to the shim or firmware certificate is a nicer theory. _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
