On 14.03.2024 10:30, Ross Lagerwall wrote: > On Thu, Mar 14, 2024 at 7:24 AM Jan Beulich <jbeul...@suse.com> wrote: >> >> On 13.03.2024 16:07, Ross Lagerwall wrote: >>> In addition to the existing address and ELF load types, specify a new >>> optional PE binary load type. This new type is a useful addition since >>> PE binaries can be signed and verified (i.e. used with Secure Boot). >> >> And the consideration to have ELF signable (by whatever extension to >> the ELF spec) went nowhere? >> > > I'm not sure if you're referring to some ongoing work to create signable > ELFs that I'm not aware of.
Something must have been invented already to make Linux modules signable. > I didn't choose that route because: > > * Signed PE binaries are the current standard for Secure Boot. > > * Having signed ELF binaries would mean that code to handle them needs > to be added to Shim which contravenes its goals of being small and > simple to verify. Both true, but neither goes entirely without saying, I suppose. > * I could be wrong on this but to my knowledge, the ELF format is not > being actively updated nor is the standard owned/maintained by a > specific group which makes updating it difficult. And PE/COFF isn't under control of a public entity / group afaik, which may be viewed as no better, if not worse. > * Tools would need to be updated/developed to add support for signing > ELF binaries and inspecting the signatures. As above, yes indeed. Jan
