Hi Tom, On Fri, May 31, 2019 at 11:05:20AM -0400, Tom Rini wrote:
On Fri, May 31, 2019 at 02:40:32PM +0100, Steve McIntyre wrote:
On Tue, May 28, 2019 at 02:04:23PM +0300, Ilias Apalodimas wrote:
The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot for the EFI playloads
I think that you'd better explain why you stick to *UEFI* secure boot.
The main reason is distro support. Since distros use a number of different ways of booting up on arm boards, using UEFI is the obvious way to unify that (and alrady supported on some) regardless of the bootloader. UEFI secure boot provides a common approach to security instead of 'per bootloader' solutions
Yup, absolutely (says the Debian EFI team lead) ...
The other things we need to keep in mind is that (based on my own experience implementing UEFI secure boot on an x8664 platform), we are not looking at a case of "make an existing solution function on other architectures" but rather "there's some good concepts here and an implementation waiting to be figured out".
We agree here. From Grant's proposal's #1 and #2, i'd prefer seeing something similar to #2 implemented. I'd prefer having the option to authenticate DTB/initramfs from the 'main bootloader', than delegating that to some EFI payload, mostly for fragmentation reasons
Thanks /Ilias