On 22.10.2013 19:12, Andrey Borzenkov wrote: > В Mon, 21 Oct 2013 23:16:24 +0200 > Vladimir 'φ-coder/phcoder' Serbinenko <phco...@gmail.com> пишет: > >> GRUB has generic support for signing kernels/modules/whatsoever using >> GnuPG signatures. You'd just have to ship xen.sig and kernel.sig. This >> method doesn't have any controversy associated with EFI stuff but at >> this particular case does exactly the same thing: verify signature. >> multiboot2 is mainly memory structure specification so probably how the >> files are checked is outside of its scope. But it's possible to add >> specification on how to embed signatures in kernel. >> > > I'm a bit skeptical here. Given that > > - EFI secure boot will still be needed to handle Windows > - kernel can be launched directly as EFI application > - there are other bootloaders with secure boot support > > distributions will likely need to carry on EFI secure boot support. At > which point it is not clear what advantages second, parallel, > infrastructure for the sake of single application will bring. > Using PE signatures is possible as I already said which invalidates your points. > The most compelling reason would be allowing module loading (which is > currently disabled by secure boot patches). >
signature.asc
Description: OpenPGP digital signature
