Hi Matthew,
On Sun, 24 Nov 2024 at 21:29, Matthew Garrett <mj...@srcf.ucam.org> wrote:
>
> On Sun, Nov 24, 2024 at 03:43:12PM +0100, Heinrich Schuchardt wrote:
> > > + /* That failed, so try allocating anywhere there's enough room */
> > > + status = boot->allocate_pages(EFI_ALLOCATE_ANY_PAGES,
> > > EFI_LOADER_DATA, pages, &addr);
I don't think you can use this as is. IIRC the PE/COFF header defines
the alignment of the loaded image that's why we have
efi_alloc_aligned_pages()
> > > + if (status == EFI_SUCCESS) {
> > > + /* Make sure bootm knows where we loaded the image */
> > > + os->load = addr;
> > > + return;
> > > + }
> >
> > Why don't you simply call LoadImage()?
>
> With secure boot that requires that the kernel image have a trusted
> signature, whereas we're relying on a signed FIT.
That signed FIT, contains a kernel compiled as a PE/COFF and you
*want* to jump the the efi stub right? If that's the case and we trust
FIT, why don't we just ignore the crypto checks on LoadImage?
Thanks
/Ilias
